Thanks for the report and the patch!
Looking into this, this isn't actually the right place to do this, since it's valid for HTML to appear in
highlight()(we use it for
<span>tags to properly format the full name), but I've made a change in the correct place to do the escaping (
xss in autocomplete
Review Request #5570 — Created March 2, 2014 and discarded
It will fix xss vulnerabilities.
If input script in First name or Last name, It is executed when you use autocomplete in search box.