From 5bfbcb7c98149d1610be8e4d0aa622d34aeac7c7 Mon Sep 17 00:00:00 2001
From: "Daniel Cazalla (ZallaxDev)"
 <86362063+ZallaxDev@users.noreply.github.com>
Date: Mon, 9 Dec 2024 14:33:00 +0100
Subject: [PATCH] LTI: Added permissions check and several HTML filters

Added strip_tags to title in ilObjLTIConsumer::registerClient and additional permissions check in ltiregstart.php
---
 Modules/LTIConsumer/classes/class.ilObjLTIConsumer.php | 2 +-
 Modules/LTIConsumer/ltiregstart.php                    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/Modules/LTIConsumer/classes/class.ilObjLTIConsumer.php b/Modules/LTIConsumer/classes/class.ilObjLTIConsumer.php
index 7300ccf9268a..7f1eadb5a60d 100755
--- a/Modules/LTIConsumer/classes/class.ilObjLTIConsumer.php
+++ b/Modules/LTIConsumer/classes/class.ilObjLTIConsumer.php
@@ -1272,7 +1272,7 @@ public static function registerClient(array $data, object $tokenObj): array
         $reponseData = $data;
         $provider = new ilLTIConsumeProvider();
         $toolConfig = $data['https://purl.imsglobal.org/spec/lti-tool-configuration'];
-        $provider->setTitle($data['client_name']);
+        $provider->setTitle(strip_tags($data['client_name'], ilObjectGUI::ALLOWED_TAGS_IN_TITLE_AND_DESCRIPTION));
         $provider->setProviderUrl($toolConfig['target_link_uri']);
         $provider->setInitiateLogin($data['initiate_login_uri']);
         $provider->setRedirectionUris(implode(",", $data['redirect_uris']));
diff --git a/Modules/LTIConsumer/ltiregstart.php b/Modules/LTIConsumer/ltiregstart.php
index 9f76e32c1488..a36677903a8f 100644
--- a/Modules/LTIConsumer/ltiregstart.php
+++ b/Modules/LTIConsumer/ltiregstart.php
@@ -26,7 +26,7 @@
 ilInitialisation::initILIAS();
 global $DIC;
 
-if (!$DIC->user()->getId() || $DIC->user()->getId() === ANONYMOUS_USER_ID) {
+if (!$DIC->user()->getId() || !ilLTIConsumerAccess::hasCustomProviderCreationAccess()) {
     ilObjLTIConsumer::sendResponseError(401, "unauthorized");
 }