Escape HTML chars in composer highlights

This is very embarrassing, I know

src/components/compose.jsx

@@ -133,7 +133,14 @@ const SCAN_RE = new RegExp(
 
 function highlightText(text, { maxCharacters = Infinity }) {
   // Accept text string, return formatted HTML string
-  let html = text;
+  // Escape all HTML special characters
+  let html = text
+    .replace(/&/g, '&')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;')
+    .replace(/"/g, '&quot;')
+    .replace(/'/g, '&apos;');
+
   // Exceeded characters limit
   const { composerCharacterCount } = states;
   let leftoverHTML = '';