Moodle "cleans" text on the way out using format_text and friends.

Some places in moodle allow users to enter text that will be displayed with no cleaning. This requires a capability with the XSS bit set on it.

It could be helpful to indicate which bits of text in moodle will be cleaned and which ones will not. E.g. creating a label in a course will not be cleaned. An assignment online text will be cleaned.

This would require reviewing how the data from each form field is used in Moodle.