From a4149f4ff49af5b90612fbff4590038e24831e9d Mon Sep 17 00:00:00 2001
From: "Daniel Cazalla (ZallaxDev)"
 <86362063+ZallaxDev@users.noreply.github.com>
Date: Mon, 9 Dec 2024 16:43:17 +0100
Subject: [PATCH] LTI: Added permissions checking and HTML escaping

---
 .../classes/class.ilLTIConsumerAdministrationGUI.php            | 2 +-
 Modules/LTIConsumer/classes/class.ilObjLTIConsumer.php          | 2 +-
 Modules/LTIConsumer/ltiregstart.php                             | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/Modules/LTIConsumer/classes/class.ilLTIConsumerAdministrationGUI.php b/Modules/LTIConsumer/classes/class.ilLTIConsumerAdministrationGUI.php
index 633a65594c7f..3867fb983ed1 100755
--- a/Modules/LTIConsumer/classes/class.ilLTIConsumerAdministrationGUI.php
+++ b/Modules/LTIConsumer/classes/class.ilLTIConsumerAdministrationGUI.php
@@ -785,7 +785,7 @@ protected function confirmDeleteProviders(array $providers, string $cancelComman
             $confirmationGUI->addItem(
                 'provider_ids[]',
                 (string) $provider->getId(),
-                $provider->getTitle(),
+                htmlspecialchars($provider->getTitle()),
                 $providerIcon
             );
         }
diff --git a/Modules/LTIConsumer/classes/class.ilObjLTIConsumer.php b/Modules/LTIConsumer/classes/class.ilObjLTIConsumer.php
index 53438ba2bd05..1f4a728873cc 100755
--- a/Modules/LTIConsumer/classes/class.ilObjLTIConsumer.php
+++ b/Modules/LTIConsumer/classes/class.ilObjLTIConsumer.php
@@ -1274,7 +1274,7 @@ public static function registerClient(array $data, object $tokenObj): array
         $reponseData = $data;
         $provider = new ilLTIConsumeProvider();
         $toolConfig = $data['https://purl.imsglobal.org/spec/lti-tool-configuration'];
-        $provider->setTitle($data['client_name']);
+        $provider->setTitle(strip_tags($data['client_name'], ilObjectGUI::ALLOWED_TAGS_IN_TITLE_AND_DESCRIPTION));
         $provider->setProviderUrl($toolConfig['target_link_uri']);
         $provider->setInitiateLogin($data['initiate_login_uri']);
         $provider->setRedirectionUris(implode(",", $data['redirect_uris']));
diff --git a/Modules/LTIConsumer/ltiregstart.php b/Modules/LTIConsumer/ltiregstart.php
index 9f76e32c1488..a36677903a8f 100644
--- a/Modules/LTIConsumer/ltiregstart.php
+++ b/Modules/LTIConsumer/ltiregstart.php
@@ -26,7 +26,7 @@
 ilInitialisation::initILIAS();
 global $DIC;
 
-if (!$DIC->user()->getId() || $DIC->user()->getId() === ANONYMOUS_USER_ID) {
+if (!$DIC->user()->getId() || !ilLTIConsumerAccess::hasCustomProviderCreationAccess()) {
     ilObjLTIConsumer::sendResponseError(401, "unauthorized");
 }