danmarsden
commented
4 years ago Thanks Sergey, I don't know ojt well myself, but I'm wondering why that's not doing a forcedownload like the way it handles this in mod_assign etc. I'll see if someone here can take a look!
A potential vulnerability exists within the plugin that allows users to upload HTML files, which then are displayed in the frontend and may contain harmful JS or XSS vulnerabilities. A whitelisting of the uploaded files is desirable, or at least some kind of HTML purification before the output.