$serviceshortname = required_param('service', PARAM_ALPHANUMEXT);
$passport = required_param('passport', PARAM_RAW); // Passport send from the app to validate the response URL.
-$urlscheme = optional_param('urlscheme', 'moodlemobile', PARAM_ALPHANUM); // The URL scheme the app supports.
+$urlscheme = optional_param('urlscheme', 'moodlemobile', PARAM_NOTAGS); // The URL scheme the app supports.
$confirmed = optional_param('confirmed', false, PARAM_BOOL); // If we are being redirected after user confirmation.
$oauthsso = optional_param('oauthsso', 0, PARAM_INT); // Id of the OpenID issuer (for OAuth direct SSO).
+// Validate that the urlscheme is valid.
+if (!preg_match('/^[a-zA-Z][a-zA-Z0-9-\+\.]*$/', $urlscheme)) {
+ throw new moodle_exception('Invalid parameter: the value of urlscheme isn\'t valid. ' .
+ 'It should start with a letter and can only contain letters, numbers and the characters "." "+" "-".');
+}
+
// Check web services enabled.
if (!$CFG->enablewebservices) {
throw new moodle_exception('enablewsdescription', 'webservice');
$temp->add(new admin_setting_configtext('tool_mobile/forcedurlscheme',
new lang_string('forcedurlscheme_key', 'tool_mobile'),
- new lang_string('forcedurlscheme', 'tool_mobile'), 'moodlemobile', PARAM_ALPHANUM));
+ new lang_string('forcedurlscheme', 'tool_mobile'), 'moodlemobile', PARAM_NOTAGS));
$temp->add(new admin_setting_configtext('tool_mobile/minimumversion',
new lang_string('minimumversion_key', 'tool_mobile'),
