Dear Ryan, Thank you for your response. In 2.5.9, I have 29 users with XSS warning. But after upgrade, I got 1xxx some users with XSS warning. These additional users are students with only student role. As mentioned, I just did the standard upgrade from 2.5.9 to 2.8.3 (I did not change any role permission). It could also be possible that some permission that was previously not considered for triggering XSS issue is now accounted for XSS warning in moodle 2.8.3. In this case, it would be nice to know which exactly are those. I only use standard roles (teacher, student, etc.) with default role permission settings. I would assume that moodle should have default role permission that is secured (especially with student role). If this is not the case, I would like to consider this as a bug in moodle 2.8.3 upgrade process, wouldn't you agree? Best regards, Voravit T.
by Voravit Tanyingyong.