$string['usebasicauth'] = 'Authenticate token requests via HTTP headers';
$string['usebasicauth_help'] = 'Utilise the HTTP Basic authentication scheme when sending client ID and password with a refresh token request. Recommended by the OAuth 2 standard, but may not be available with some issuers.';
$string['userfieldexternalfield'] = 'External field name';
+$string['userfieldexternalfield_error'] = 'This field cannot contain HTML.';
$string['userfieldexternalfield_help'] = 'Name of the field provided by the external OAuth system.';
$string['userfieldinternalfield_help'] = 'Name of the Moodle user field that should be mapped from the external field.';
$string['userfieldinternalfield'] = 'Internal field name';
defined('MOODLE_INTERNAL') || die();
use core\persistent;
-
+use lang_string;
/**
* Class for loading/storing oauth2 user field mappings from the DB
*
'type' => PARAM_INT
),
'externalfield' => array(
- 'type' => PARAM_ALPHANUMEXT,
+ 'type' => PARAM_RAW_TRIMMED,
),
'internalfield' => array(
'type' => PARAM_ALPHANUMEXT,
public function get_internalfield_list() {
return array_combine(self::get_user_fields(), self::get_user_fields());
}
+
+ /**
+ * Ensures that no HTML is saved to externalfield field
+ * but preserves all special characters that can be a part of the claim
+ * @return boolean true if validation is successful, string error if externalfield is not validated
+ */
+ protected function validate_externalfield($value){
+ // This parameter type is set to PARAM_RAW_TRIMMED and HTML check is done here.
+ if (clean_param($value, PARAM_NOTAGS) !== $value){
+ return new lang_string('userfieldexternalfield_error', 'tool_oauth2');
+ }
+ return true;
+ }
}
