MDL-66582 tool_mobile: Clean URLs from auth plugins

In order to avoid the WebService to break we must double check that URLs coming from auth plugins are valid.

admin/tool/mobile/classes/api.php

@@ -210,6 +210,12 @@ class api {
         $identityprovidersdata = \auth_plugin_base::prepare_identity_providers_for_output($identityproviders, $OUTPUT);
         if (!empty($identityprovidersdata)) {
             $settings['identityproviders'] = $identityprovidersdata;
+            // Clean URLs to avoid breaking Web Services.
+            // We can't do it in prepare_identity_providers_for_output() because it may break the web output.
+            foreach ($settings['identityproviders'] as &$ip) {
+                $ip['url'] = (!empty($ip['url'])) ? clean_param($ip['url'], PARAM_URL) : '';
+                $ip['iconurl'] = (!empty($ip['iconurl'])) ? clean_param($ip['iconurl'], PARAM_URL) : '';
+            }
         }
 
         // If age is verified, return also the admin contact details.

admin/tool/mobile/tests/externallib_test.php

@@ -103,6 +103,7 @@ class tool_mobile_external_testcase extends externallib_advanced_testcase {
         );
         $this->assertEquals($expected, $result);
 
+        $this->setAdminUser();
         // Change some values.
         set_config('registerauth', 'email');
         $authinstructions = 'Something with <b>html tags</b>';
@@ -117,6 +118,18 @@ class tool_mobile_external_testcase extends externallib_advanced_testcase {
         set_config('disabledfeatures', 'myoverview', 'tool_mobile');
         set_config('minimumversion', '3.8.0', 'tool_mobile');
 
+        // Enable couple of issuers.
+        $issuer = \core\oauth2\api::create_standard_issuer('google');
+        $irecord = $issuer->to_record();
+        $irecord->clientid = 'mock';
+        $irecord->clientsecret = 'mock';
+        core\oauth2\api::update_issuer($irecord);
+
+        set_config('hostname', 'localhost', 'auth_cas');
+        set_config('auth_logo', 'http://invalidurl.com//invalid/', 'auth_cas');
+
+        set_config('auth', 'oauth2,cas');
+
         list($authinstructions, $notusedformat) = external_format_text($authinstructions, FORMAT_MOODLE, $context->id);
         $expected['registerauth'] = 'email';
         $expected['authinstructions'] = $authinstructions;
@@ -139,7 +152,26 @@ class tool_mobile_external_testcase extends externallib_advanced_testcase {
 
         $result = external::get_public_config();
         $result = external_api::clean_returnvalue(external::get_public_config_returns(), $result);
+        // First check providers.
+        $identityproviders = $result['identityproviders'];
+        unset($result['identityproviders']);
+
+        $this->assertEquals('Google', $identityproviders[0]['name']);
+        $this->assertEquals($irecord->image, $identityproviders[0]['iconurl']);
+        $this->assertContains($CFG->wwwroot, $identityproviders[0]['url']);
+
+        $this->assertEquals('CAS', $identityproviders[1]['name']);
+        $this->assertEmpty($identityproviders[1]['iconurl']);
+        $this->assertContains($CFG->wwwroot, $identityproviders[1]['url']);
+
         $this->assertEquals($expected, $result);
+
+        // Change providers img.
+        $newurl = 'validimage.png';
+        set_config('auth_logo', $newurl, 'auth_cas');
+        $result = external::get_public_config();
+        $result = external_api::clean_returnvalue(external::get_public_config_returns(), $result);
+        $this->assertContains($newurl, $result['identityproviders'][1]['iconurl']);
     }
 
     /**