XSS trusted users
Note: You are currently viewing documentation for Moodle 3.3. Up-to-date documentation for the latest stable version of Moodle is probably available here: XSS trusted users.
Make sure that you trust all the people on the XSS trusted users list, as they are the ones with permissions to potentially write XSS exploits in forums etc.
If you were solely concerned with security, you would not allow this. However, Moodle is also concerned with education, so we have to make a compromise. Historically, the compromise was that teachers, course creators, and admins were trusted, and could post complex, but potentially risky content; while students and guests were not trusted, and anything they posted had the risky stuff stripped out.
These days, with configurable roles, it is a bit more complex, because there may be other roles, or the permissions of the standard roles may have been changed. This is why we have a column of risk items on the right of the define/override roles screen, so when you are editing the student role, you can be aware of the consequences of what you are doing.
- Using Moodle Security and Privacy forum