Certain capabilities enable users to add non-checked files and HTML code containing JavaScript etc. This may be misused for cross-site scripting (XSS) purposes, with the potential to gain full admin access. These capabilities are intended for administrators and teachers only.
Make sure that you trust all the people on the XSS trusted users list.
Some forms of rich Multimedia content, like embedding Flash applets, or bits of JavaScript, which teachers want to use to enhance their courses, use exactly the same technologies that evil people use for cross-site scripting attacks.
If you were solely concerned with security, you would not allow this. However, Moodle is also concerned with education, so we have to make a compromise. Historically, the compromise was that teachers, course creators, and admins were trusted, and could post complex, but potentially risky content; while students and guests were not trusted, and anything they posted had the risky stuff stripped out.
These days, with configurable roles, it is a bit more complex, because there may be other roles, or the permissions of the standard roles may have been changed. This is why we have a column of risk items on the right of the define/override roles screen, so when you are editing the student role, you can be aware of the consequences of what you are doing.
See also
- Risks
- Using Moodle Security and Privacy forum