During the Security testing of moodle site, It was observed that user input was directly reflected in the response without validation.
Following are the example url
https://mydomain/login/index.php [username parameter]
https://mydomain/theme/yui_combo.php [3.17.2/event-flick/event-flick-min.js parameter]
https://mydomain/theme/yui_combo.php [3.17.2/event-hover/event-hover-min.js parameter]
https://mydomain/theme/yui_combo.php [3.17.2/event-mousewheel/event-mousewheel-min.js parameter]
https://mydomain/theme/yui_combo.php [3.17.2/event-move/event-move-min.js parameter]
https://mydomain/theme/yui_combo.php [3.17.2/event-resize/event-resize-min.js parameter]
https://mydomain/theme/yui_combo.php [3.17.2/event-touch/event-touch-min.js parameter]
https://mydomain/theme/yui_combo.php [3.17.2/event-valuechange/event-valuechange-min.js parameter]
https://mydomain/theme/yui_combo.php [m/-1/core/event/event-min.js parameter]
How to achieve that?