From 08d7ad77ba1c93001a613f9e5114f70be97e5ceb Mon Sep 17 00:00:00 2001
From: "Daniel Cazalla (ZallaxDev)"
 <86362063+ZallaxDev@users.noreply.github.com>
Date: Mon, 9 Dec 2024 15:42:11 +0100
Subject: [PATCH] LTI: HTML escaping in titles

Added htmlspecialchars in ilLTIConsumeProvider::assignFromDbRow
---
 Modules/LTIConsumer/classes/class.ilLTIConsumeProvider.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Modules/LTIConsumer/classes/class.ilLTIConsumeProvider.php b/Modules/LTIConsumer/classes/class.ilLTIConsumeProvider.php
index 881d6be4ae6d..477f6cd82bf9 100755
--- a/Modules/LTIConsumer/classes/class.ilLTIConsumeProvider.php
+++ b/Modules/LTIConsumer/classes/class.ilLTIConsumeProvider.php
@@ -807,7 +807,7 @@ public function assignFromDbRow(array $dbRow): void
             switch ($field) {
                 case 'id': $this->setId((int) $value);
                     break;
-                case 'title': $this->setTitle($value);
+                case 'title': $this->setTitle(htmlspecialchars($value));
                     break;
                 case 'description': $this->setDescription($value);
                     break;