From a4149f4ff49af5b90612fbff4590038e24831e9d Mon Sep 17 00:00:00 2001 From: "Daniel Cazalla (ZallaxDev)" <86362063+ZallaxDev@users.noreply.github.com> Date: Mon, 9 Dec 2024 16:43:17 +0100 Subject: [PATCH] LTI: Added permissions checking and HTML escaping --- .../classes/class.ilLTIConsumerAdministrationGUI.php | 2 +- Modules/LTIConsumer/classes/class.ilObjLTIConsumer.php | 2 +- Modules/LTIConsumer/ltiregstart.php | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Modules/LTIConsumer/classes/class.ilLTIConsumerAdministrationGUI.php b/Modules/LTIConsumer/classes/class.ilLTIConsumerAdministrationGUI.php index 633a65594c7f..3867fb983ed1 100755 --- a/Modules/LTIConsumer/classes/class.ilLTIConsumerAdministrationGUI.php +++ b/Modules/LTIConsumer/classes/class.ilLTIConsumerAdministrationGUI.php @@ -785,7 +785,7 @@ protected function confirmDeleteProviders(array $providers, string $cancelComman $confirmationGUI->addItem( 'provider_ids[]', (string) $provider->getId(), - $provider->getTitle(), + htmlspecialchars($provider->getTitle()), $providerIcon ); } diff --git a/Modules/LTIConsumer/classes/class.ilObjLTIConsumer.php b/Modules/LTIConsumer/classes/class.ilObjLTIConsumer.php index 53438ba2bd05..1f4a728873cc 100755 --- a/Modules/LTIConsumer/classes/class.ilObjLTIConsumer.php +++ b/Modules/LTIConsumer/classes/class.ilObjLTIConsumer.php @@ -1274,7 +1274,7 @@ public static function registerClient(array $data, object $tokenObj): array $reponseData = $data; $provider = new ilLTIConsumeProvider(); $toolConfig = $data['https://purl.imsglobal.org/spec/lti-tool-configuration']; - $provider->setTitle($data['client_name']); + $provider->setTitle(strip_tags($data['client_name'], ilObjectGUI::ALLOWED_TAGS_IN_TITLE_AND_DESCRIPTION)); $provider->setProviderUrl($toolConfig['target_link_uri']); $provider->setInitiateLogin($data['initiate_login_uri']); $provider->setRedirectionUris(implode(",", $data['redirect_uris'])); diff --git a/Modules/LTIConsumer/ltiregstart.php b/Modules/LTIConsumer/ltiregstart.php index 9f76e32c1488..a36677903a8f 100644 --- a/Modules/LTIConsumer/ltiregstart.php +++ b/Modules/LTIConsumer/ltiregstart.php @@ -26,7 +26,7 @@ ilInitialisation::initILIAS(); global $DIC; -if (!$DIC->user()->getId() || $DIC->user()->getId() === ANONYMOUS_USER_ID) { +if (!$DIC->user()->getId() || !ilLTIConsumerAccess::hasCustomProviderCreationAccess()) { ilObjLTIConsumer::sendResponseError(401, "unauthorized"); }