LTI: Authentication check for registering new LTI providers and escap…

…ed HTML in the provider title in the setup form
surlabs · Dec 2, 2024 · 0647209 · 0647209
1 parent d8a9981
commit 0647209
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 6 deletions.
diff --git a/components/ILIAS/LTIConsumer/classes/class.ilLTIConsumeProviderFormGUI.php b/components/ILIAS/LTIConsumer/classes/class.ilLTIConsumeProviderFormGUI.php
@@ -73,7 +73,7 @@ public function initForm(string $formaction, string $saveCmd, string $cancelCmd)
         }
 
         $titleInp = new ilTextInputGUI($lng->txt('lti_con_prov_title'), 'title');
-        $titleInp->setValue($this->provider->getTitle());
+        $titleInp->setValue(htmlspecialchars($this->provider->getTitle()));
         $titleInp->setRequired(true);
         $this->addItem($titleInp);
 

diff --git a/components/ILIAS/LTIConsumer/ltiregstart.php b/components/ILIAS/LTIConsumer/ltiregstart.php
@@ -24,11 +24,8 @@
 ilInitialisation::initILIAS();
 global $DIC;
 
-if (strtoupper($DIC->http()->request()->getMethod()) !== "GET") {
-    $DIC->http()->saveResponse(
-        $DIC->http()->response()
-            ->withStatus(400)
-    );
+if (!$DIC->user()->getId() || $DIC->user()->getId() === ANONYMOUS_USER_ID) {
+	ilObjLTIConsumer::sendResponseError(401, "unauthorized");
 }
 
 $params = $DIC->http()->wrapper()->query();