From b0a1166470b7ed12f310a4cc163d07bce36c3958 Mon Sep 17 00:00:00 2001
From: Matt Hughes <mhughes@edx.org>
Date: Tue, 26 Jan 2021 16:34:05 -0500
Subject: [PATCH] Fix XSS vector for a11y text attached to notes editor

JIRA:SEC-1164
---
 lms/static/js/edxnotes/views/shim.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lms/static/js/edxnotes/views/shim.js b/lms/static/js/edxnotes/views/shim.js
index 453247039d..f5855f30f6 100644
--- a/lms/static/js/edxnotes/views/shim.js
+++ b/lms/static/js/edxnotes/views/shim.js
@@ -165,7 +165,7 @@
             .addField({
                 load: function(field, annotation) {
                     if (annotation.text) {
-                        $(field).html(HtmlUtils.HTML(Utils.nl2br(annotation.text)).toString());
+                        $(field).html(HtmlUtils.HTML(Utils.nl2br(Annotator.Util.escape(annotation.text))).toString());
                     } else {
                         // eslint-disable-next-line max-len
                         $(field).html(HtmlUtils.joinHtml(HtmlUtils.HTML('<i>'), _t('No Comment'), HtmlUtils.HTML('</i>')).toString());