From 8883c786c5a71c5a969b2829fab0e410707b583b Mon Sep 17 00:00:00 2001 From: "Daniel Cazalla (ZallaxDev)" <86362063+ZallaxDev@users.noreply.github.com> Date: Mon, 9 Dec 2024 16:43:17 +0100 Subject: [PATCH 1/2] LTI: Added permissions checking and HTML escaping --- .../classes/class.ilLTIConsumerAdministrationGUI.php | 2 +- components/ILIAS/LTIConsumer/classes/class.ilObjLTIConsumer.php | 2 +- components/ILIAS/LTIConsumer/ltiregstart.php | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/components/ILIAS/LTIConsumer/classes/class.ilLTIConsumerAdministrationGUI.php b/components/ILIAS/LTIConsumer/classes/class.ilLTIConsumerAdministrationGUI.php index 117b056c4d40..ea9aad5dc062 100755 --- a/components/ILIAS/LTIConsumer/classes/class.ilLTIConsumerAdministrationGUI.php +++ b/components/ILIAS/LTIConsumer/classes/class.ilLTIConsumerAdministrationGUI.php @@ -785,7 +785,7 @@ protected function confirmDeleteProviders(array $providers, string $cancelComman $confirmationGUI->addItem( 'provider_ids[]', (string) $provider->getId(), - $provider->getTitle(), + htmlspecialchars($provider->getTitle()), $providerIcon ); } diff --git a/components/ILIAS/LTIConsumer/classes/class.ilObjLTIConsumer.php b/components/ILIAS/LTIConsumer/classes/class.ilObjLTIConsumer.php index 6262eb78a620..5d3a179f0e5d 100755 --- a/components/ILIAS/LTIConsumer/classes/class.ilObjLTIConsumer.php +++ b/components/ILIAS/LTIConsumer/classes/class.ilObjLTIConsumer.php @@ -1313,7 +1313,7 @@ public static function registerClient(array $data, object $tokenObj): array $reponseData = $data; $provider = new ilLTIConsumeProvider(); $toolConfig = $data['https://purl.imsglobal.org/spec/lti-tool-configuration']; - $provider->setTitle($data['client_name']); + $provider->setTitle(strip_tags($data['client_name'], ilObjectGUI::ALLOWED_TAGS_IN_TITLE_AND_DESCRIPTION)); $provider->setProviderUrl($toolConfig['target_link_uri']); $provider->setInitiateLogin($data['initiate_login_uri']); $provider->setRedirectionUris(implode(",", $data['redirect_uris'])); diff --git a/components/ILIAS/LTIConsumer/ltiregstart.php b/components/ILIAS/LTIConsumer/ltiregstart.php index 2e1022d07ec1..17fa7c391f3f 100755 --- a/components/ILIAS/LTIConsumer/ltiregstart.php +++ b/components/ILIAS/LTIConsumer/ltiregstart.php @@ -24,7 +24,7 @@ ilInitialisation::initILIAS(); global $DIC; -if (!$DIC->user()->getId() || $DIC->user()->getId() === ANONYMOUS_USER_ID) { +if (!$DIC->user()->getId() || !ilLTIConsumerAccess::hasCustomProviderCreationAccess()) { ilObjLTIConsumer::sendResponseError(401, "unauthorized"); } From 2877e1d67a8656492328a8d669126aa74fdd8a92 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sa=C3=BAl=20D=C3=ADaz?= Date: Thu, 12 Dec 2024 12:40:47 +0100 Subject: [PATCH 2/2] Fix copyright --- .../classes/class.ilLTIConsumerAdministrationGUI.php | 4 ++-- components/ILIAS/LTIConsumer/ltiregstart.php | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/components/ILIAS/LTIConsumer/classes/class.ilLTIConsumerAdministrationGUI.php b/components/ILIAS/LTIConsumer/classes/class.ilLTIConsumerAdministrationGUI.php index ea9aad5dc062..1b2a28494c0a 100755 --- a/components/ILIAS/LTIConsumer/classes/class.ilLTIConsumerAdministrationGUI.php +++ b/components/ILIAS/LTIConsumer/classes/class.ilLTIConsumerAdministrationGUI.php @@ -1,7 +1,5 @@