Quoting Moodle security advisory MSA-08-0008:
During internal code review performed by Allegro.pl, some weaknesses were
discovered in KSES - PHP HTML/XHTML filter. HTML filters using or based on kses
are part of many popular projects, including WordPress, Moodle, Drupal,
eGroupware, Dokeos, PHP-Nuke, Geeklog and others. Issues found range from
cross-site scripting to code execution, depending on implementation.
There is a new option "Use HTML Purifier" in 1.9, it uses a different
whitelisting technique which is considered to be much safer than KSES.
Fixed upstream in: 1.8.5, 1.9
Upstream patches (1.8.x CVS branch):
F-9 and Rawhide are already using 1.9. F-8 should probably be updated to 1.8.5
or patches above can be applied.
moodle-1.8.5-1.fc8 has been submitted as an update for Fedora 8
moodle-1.8.5-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in: