eledia
commented
1 year ago We also encounter this. The solution seems simple, just add a restrictive parameter type to the admin_setting_configtextarea for this element. You did not set any, and the default is PARAM_RAW. Which allows anything. If you put PARAM_TEXT in there explicit, no code can be saved there. Or is there anything speaking against this?
The weak point of the plugin is: Any code, even from external sources, can be integrated into the pages unfiltered. This code is executed on the end devices of the users (students and teachers). (Category: Remote Code Execution - critical) The risk lies with the administrator. He alone must judge whether the code is problematic or not. (Risk: Very high). Students cannot modify the content.
Is it possible to make adjustments for this to make the plugin more secure?