From 11b472cecad16a8605bda417d0631cb095f41bf2 Mon Sep 17 00:00:00 2001
From: =Awais Jibran <awaisdar001@gmail.com>
Date: Wed, 28 Jul 2021 01:38:08 +0500
Subject: [PATCH] fix: discussion xss fix

---
 common/static/common/js/discussion/utils.js | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/common/static/common/js/discussion/utils.js b/common/static/common/js/discussion/utils.js
index 1d544807c671..9a1396f73e66 100644
--- a/common/static/common/js/discussion/utils.js
+++ b/common/static/common/js/discussion/utils.js
@@ -370,7 +370,8 @@
         var RE_DISPLAYMATH = /^([^\$]*?)\$\$([^\$]*?)\$\$(.*)$/m,
             RE_INLINEMATH = /^([^\$]*?)\$([^\$]+?)\$(.*)$/m,
             ESCAPED_DOLLAR = '@@ESCAPED_D@@',
-            ESCAPED_BACKSLASH = '@@ESCAPED_B@@';
+            ESCAPED_BACKSLASH = '@@ESCAPED_B@@',
+            LATEX_SCRIPT = '\{javascript\:(.+?)\}';
 
         /**
          * Formats math and code chunks
@@ -417,6 +418,7 @@
                 return processor(('\\begin{' + $1 + '}') + $2 + ('\\end{' + $1 + '}'));
             });
             htmlString = htmlString.replace(new RegExp(ESCAPED_BACKSLASH, 'g'), '\\\\\\\\');
+            htmlString = htmlString.replace(new RegExp(LATEX_SCRIPT, 'g'), '{}');
             $div = edx.HtmlUtils.setHtml($('<div>'), edx.HtmlUtils.HTML(htmlString));
             $div.find('code').each(function(index, code) {
                 edx.HtmlUtils.setHtml(