This first thing to check is if the javascript is being allowed via the 'trustcontent' capability ( https://docs.moodle.org/en/Capabilities/moodle/site:trustcontent ). This is specifically to allow trusted users to add javascript (and any other potentially unsafe content) to text areas within Moodle (see the above link for one situation in which this is desirable).
It is, however, entirely possible that this is a text area that has just been missed in terms of being cleaned at all. In which case, it should be reported as a bug in Moodle tracker.
trustcontent is not the only mechanism.
Generally speaking, anywhere in Moodle where only teachers can input content, JavaScript is allowed through on the grounds that
It is a compromise, but a reasonable one.
Of course, in Moodle there is not necessarily any such thing as a 'Teacher' becuase roles can be re-defined. On the define roles page, you will see 'risk' icons next to each capability. One of those icons is 'Risk XSS'. It is the 'Risk XSS' capabilities that let you input JavaScript.
