From 64cabae46d280e72e41313e8d62bf0dce98cd8a9 Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <anders@zulip.com>
Date: Thu, 4 Apr 2024 16:48:15 -0700
Subject: [PATCH] web: Fix usage of .replace with variable replacement.

String.prototype.replace and String.prototype.replaceAll interpret
certain sequences such as $$ within a string provided as the
replacement argument.  Avoid this interpretation by providing a
function.

Signed-off-by: Anders Kaseorg <anders@zulip.com>
---
 web/src/settings_profile_fields.js | 2 +-
 web/third/marked/lib/marked.js     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/web/src/settings_profile_fields.js b/web/src/settings_profile_fields.js
index 21334e43d0..2bf7d5c079 100644
--- a/web/src/settings_profile_fields.js
+++ b/web/src/settings_profile_fields.js
@@ -781,7 +781,7 @@ export function get_external_account_link(field) {
     } else {
         field_url_pattern = realm.realm_default_external_accounts[field_subtype].url_pattern;
     }
-    return field_url_pattern.replace("%(username)s", field.value);
+    return field_url_pattern.replace("%(username)s", () => field.value);
 }
 
 export function set_up() {
diff --git a/web/third/marked/lib/marked.js b/web/third/marked/lib/marked.js
index 80d725a262..5f5ab5f591 100644
--- a/web/third/marked/lib/marked.js
+++ b/web/third/marked/lib/marked.js
@@ -1188,7 +1188,7 @@ Parser.prototype.parse = function(src) {
     if (!safe) {
       html = escape(html);
     }
-    output = output.replace('<p>' + key + '</p>', html)
+    output = output.replace('<p>' + key + '</p>', () => html)
   }
   return output;
  };