How can I remove executable script tag in search course URL to prevent XSS attack.
Now script can be executed in URL for example as below, it runs on firefox browser,
Chrome browser auto prevents script.
http://localhost/course/index.php?search= ' "><script>alert("testing xss")</script>
Hello Khant, thanks for your question. We have got a procedure for reporting potential security issue: https://docs.moodle.org/dev/Moodle_security_procedures#How_can_I_report_a_security_issue.3F Can you please submit a ticket and provide more details on Moodle version you are using.