LTI: Authentication check for registering new LTI providers, added st…

…rip_tags and htmlspecialchars The LTIConsumer creation entry point has been modified to add a user check and an unused get method check has been removed. Modified the ilLTIConsumeProviderFormGUI::initForm to remove possible HTML tags in the title and description. Added htmlspecialchars to ilObjLTIConsumer::registerClient.
surlabs · Dec 2, 2024 · e14ab20 · e14ab20
1 parent a376a2b
commit e14ab20
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 8 deletions.
diff --git a/Modules/LTIConsumer/classes/class.ilLTIConsumeProviderFormGUI.php b/Modules/LTIConsumer/classes/class.ilLTIConsumeProviderFormGUI.php
@@ -73,12 +73,12 @@ public function initForm(string $formaction, string $saveCmd, string $cancelCmd)
         }
 
         $titleInp = new ilTextInputGUI($lng->txt('lti_con_prov_title'), 'title');
-        $titleInp->setValue($this->provider->getTitle());
+        $titleInp->setValue(strip_tags($this->provider->getTitle(), ilObjectGUI::ALLOWED_TAGS_IN_TITLE_AND_DESCRIPTION));
         $titleInp->setRequired(true);
         $this->addItem($titleInp);
 
         $descInp = new ilTextInputGUI($lng->txt('lti_con_prov_description'), 'description');
-        $descInp->setValue($this->provider->getDescription());
+        $descInp->setValue(strip_tags($this->provider->getDescription(), ilObjectGUI::ALLOWED_TAGS_IN_TITLE_AND_DESCRIPTION));
         $this->addItem($descInp);
 
         $iconInp = new ilImageFileInputGUI($lng->txt('lti_con_prov_icon'), 'icon');

diff --git a/Modules/LTIConsumer/classes/class.ilObjLTIConsumer.php b/Modules/LTIConsumer/classes/class.ilObjLTIConsumer.php
@@ -1272,7 +1272,7 @@ public static function registerClient(array $data, object $tokenObj): array
         $reponseData = $data;
         $provider = new ilLTIConsumeProvider();
         $toolConfig = $data['https://purl.imsglobal.org/spec/lti-tool-configuration'];
-        $provider->setTitle($data['client_name']);
+        $provider->setTitle(htmlspecialchars($data['client_name']));
         $provider->setProviderUrl($toolConfig['target_link_uri']);
         $provider->setInitiateLogin($data['initiate_login_uri']);
         $provider->setRedirectionUris(implode(",", $data['redirect_uris']));

diff --git a/Modules/LTIConsumer/ltiregstart.php b/Modules/LTIConsumer/ltiregstart.php
@@ -26,11 +26,8 @@
 ilInitialisation::initILIAS();
 global $DIC;
 
-if (strtoupper($DIC->http()->request()->getMethod()) !== "GET") {
-    $DIC->http()->saveResponse(
-        $DIC->http()->response()
-            ->withStatus(400)
-    );
+if (!$DIC->user()->getId() || $DIC->user()->getId() === ANONYMOUS_USER_ID) {
+    ilObjLTIConsumer::sendResponseError(401, "unauthorized");
 }
 
 $params = $DIC->http()->wrapper()->query();