When a teacher adds a resource, such as a file, to a course they can supply an HTML description. The description field allows them to enter arbitrary HTML (including <script> tags).

Reproduction:
1. View a course as an editing user
2. click on the "+ Add an Activity or Resource" button
3. select "File" from the menu that pops open and click the "Add" button
4. provide a name and select a file (any file will do)
5. check the "Display description on course page" checkbox
6. switch the editing mode on the "description" field to HTML (by clicking on the <> button)
7. enter the following description text: <script>console.log("This is arbitrary code");</script>
8. save and display the course and observe the result