use `$.text` to put latex on the page

instead of `$.append`

does proper escaping of latex that might be interpreted as HTML tags

Fix CVE-2016-6524

notebook/static/notebook/js/outputarea.js

@@ -754,7 +754,7 @@ define([
          */
         var type = 'text/latex';
         var toinsert = this.create_output_subarea(md, "output_latex", type);
-        toinsert.append(latex);
+        toinsert.text(latex);
         element.append(toinsert);
         return toinsert;
     };