Somewhat similar vein, the school's blocking software would block YouTube and embeds unless they came from Canvas. They were smart enough to disable the HTML editor for posting discussion comments, but forgot that since it was a rich text editor, you could just copy-paste in an embed by putting the code in data:text/html, then copying the element as formatted html.

I also ran the entire DOMPurify sample XSS and managed to find one way to download custom content onto someone's computer.

Uh, did you tell the teacher by exploiting the vuln?