npm - @lti-tool/core - Versions diffs - 0.14.0 → 1.0.0 - Mend

@lti-tool/core 0.14.0 → 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (31) hide show

package/CHANGELOG.md +17 -0
package/dist/services/ags.service.d.ts.map +1 -1
package/dist/services/ags.service.js +10 -12
package/dist/services/deepLinking.service.d.ts.map +1 -1
package/dist/services/deepLinking.service.js +3 -2
package/dist/services/dynamicRegistration.service.d.ts.map +1 -1
package/dist/services/dynamicRegistration.service.js +6 -4
package/dist/services/dynamicRegistrationHandlers/moodle.d.ts.map +1 -1
package/dist/services/dynamicRegistrationHandlers/moodle.js +6 -4
package/dist/services/nrps.service.d.ts.map +1 -1
package/dist/services/nrps.service.js +2 -1
package/dist/services/session.service.d.ts.map +1 -1
package/dist/services/session.service.js +7 -2
package/dist/services/token.service.d.ts.map +1 -1
package/dist/services/token.service.js +2 -1
package/dist/utils/htmlEscaping.d.ts +28 -0
package/dist/utils/htmlEscaping.d.ts.map +1 -0
package/dist/utils/htmlEscaping.js +34 -0
package/dist/utils/ltiServiceFetch.d.ts +22 -0
package/dist/utils/ltiServiceFetch.d.ts.map +1 -0
package/dist/utils/ltiServiceFetch.js +35 -0
package/package.json +1 -1
package/src/services/ags.service.ts +10 -12
package/src/services/deepLinking.service.ts +3 -2
package/src/services/dynamicRegistration.service.ts +6 -4
package/src/services/dynamicRegistrationHandlers/moodle.ts +6 -4
package/src/services/nrps.service.ts +2 -1
package/src/services/session.service.ts +7 -2
package/src/services/token.service.ts +3 -1
package/src/utils/htmlEscaping.ts +34 -0
package/src/utils/ltiServiceFetch.ts +42 -0

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,22 @@
 # @lti-tool/core
+## 1.0.0
+### Major Changes
+- 3bcba99: First stable release of LTI 1.3 toolkit for Node.js.
+  - Add ltiServiceFetch utility with automatic User-Agent injection for Canvas API compliance (effective January 2026)
+  - Add HTML escaping utility for XSS prevention in dynamic registration flows
+  - Complete LTI 1.3 specification: OIDC authentication, AGS, NRPS, Deep Linking, Dynamic Registration
+  - Serverless-native design optimized for AWS Lambda and Cloudflare Workers
+  - Cookie-free session management for iframe compatibility
+## 0.14.1
+### Patch Changes
+- 25534f8: Fix score and results endpoint to use a cleansed ags line item endpoint without search params.
 ## 0.14.0
 ### Minor Changes

package/dist/services/ags.service.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"ags.service.d.ts","sourceRoot":"","sources":["../../src/services/ags.service.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,MAAM,CAAC;AAEvC,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AAC9D,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AAC9D,OAAO,KAAK,EACV,cAAc,EACd,cAAc,EACf,MAAM,yCAAyC,CAAC;AACjD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,gDAAgD,CAAC;~~AAGtF~~,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAEvD;;;;;GAKG;AACH,qBAAa,UAAU;IASnB,OAAO,CAAC,YAAY;IACpB,OAAO,CAAC,OAAO;IACf,OAAO,CAAC,MAAM;IAVhB;;;;;;OAMG;gBAEO,YAAY,EAAE,YAAY,EAC1B,OAAO,EAAE,UAAU,EACnB,MAAM,EAAE,UAAU;IAG5B;;;;;;;;;;;;;;;;;;OAkBG;IACG,WAAW,CAAC,OAAO,EAAE,UAAU,EAAE,KAAK,EAAE,eAAe,GAAG,OAAO,CAAC,QAAQ,CAAC;~~IAiCjF~~;;;;;;;;;;;;;OAaG;IACG,SAAS,CAAC,OAAO,EAAE,UAAU,GAAG,OAAO,CAAC,QAAQ,CAAC;~~IA4BvD~~;;;;;;;;;;;;;OAaG;IACG,aAAa,CAAC,OAAO,EAAE,UAAU,GAAG,OAAO,CAAC,QAAQ,CAAC;IAsB3D;;;;;;;;;;;;;OAaG;IACG,WAAW,CAAC,OAAO,EAAE,UAAU,GAAG,OAAO,CAAC,QAAQ,CAAC;IAsBzD;;;;;;;;;;;;;;;;;;;OAmBG;IACG,cAAc,CAClB,OAAO,EAAE,UAAU,EACnB,cAAc,EAAE,cAAc,GAC7B,OAAO,CAAC,QAAQ,CAAC;IAuBpB;;;;;;;;;;;;;;;;;OAiBG;IACG,cAAc,CAClB,OAAO,EAAE,UAAU,EACnB,cAAc,EAAE,cAAc,GAC7B,OAAO,CAAC,QAAQ,CAAC;IAuBpB;;;;;;;;;;;;OAYG;IACG,cAAc,CAAC,OAAO,EAAE,UAAU,GAAG,OAAO,CAAC,QAAQ,CAAC;YAqB9C,WAAW;YAeX,mBAAmB;CAalC"}
1	+ {"version":3,"file":"ags.service.d.ts","sourceRoot":"","sources":["../../src/services/ags.service.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,MAAM,CAAC;AAEvC,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AAC9D,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AAC9D,OAAO,KAAK,EACV,cAAc,EACd,cAAc,EACf,MAAM,yCAAyC,CAAC;AACjD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,gDAAgD,CAAC;AAItF,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAEvD;;;;;GAKG;AACH,qBAAa,UAAU;IASnB,OAAO,CAAC,YAAY;IACpB,OAAO,CAAC,OAAO;IACf,OAAO,CAAC,MAAM;IAVhB;;;;;;OAMG;gBAEO,YAAY,EAAE,YAAY,EAC1B,OAAO,EAAE,UAAU,EACnB,MAAM,EAAE,UAAU;IAG5B;;;;;;;;;;;;;;;;;;OAkBG;IACG,WAAW,CAAC,OAAO,EAAE,UAAU,EAAE,KAAK,EAAE,eAAe,GAAG,OAAO,CAAC,QAAQ,CAAC;IAkCjF;;;;;;;;;;;;;OAaG;IACG,SAAS,CAAC,OAAO,EAAE,UAAU,GAAG,OAAO,CAAC,QAAQ,CAAC;IAwBvD;;;;;;;;;;;;;OAaG;IACG,aAAa,CAAC,OAAO,EAAE,UAAU,GAAG,OAAO,CAAC,QAAQ,CAAC;IAsB3D;;;;;;;;;;;;;OAaG;IACG,WAAW,CAAC,OAAO,EAAE,UAAU,GAAG,OAAO,CAAC,QAAQ,CAAC;IAsBzD;;;;;;;;;;;;;;;;;;;OAmBG;IACG,cAAc,CAClB,OAAO,EAAE,UAAU,EACnB,cAAc,EAAE,cAAc,GAC7B,OAAO,CAAC,QAAQ,CAAC;IAuBpB;;;;;;;;;;;;;;;;;OAiBG;IACG,cAAc,CAClB,OAAO,EAAE,UAAU,EACnB,cAAc,EAAE,cAAc,GAC7B,OAAO,CAAC,QAAQ,CAAC;IAuBpB;;;;;;;;;;;;OAYG;IACG,cAAc,CAAC,OAAO,EAAE,UAAU,GAAG,OAAO,CAAC,QAAQ,CAAC;YAqB9C,WAAW;YAeX,mBAAmB;CAalC"}

package/dist/services/ags.service.js CHANGED Viewed

@@ -1,4 +1,5 @@
 import { getValidLaunchConfig } from '../utils/launchConfigValidation.js';
+import { ltiServiceFetch } from '../utils/ltiServiceFetch.js';
 /**
  * Assignment and Grade Services (AGS) implementation for LTI 1.3.
  * Provides methods to submit grades and scores back to the platform.
@@ -54,7 +55,8 @@ export class AGSService {
             activityProgress: score.activityProgress,
             gradingProgress: score.gradingProgress,
         };
-        const response = await fetch(`${session.services.ags.lineitem}/scores`, {
+        const agsScoreEndpoint = `${session.services.ags.lineitem}/scores`;
+        const response = await ltiServiceFetch(agsScoreEndpoint, {
             method: 'POST',
             headers: {
                 Authorization: `Bearer ${token}`,
@@ -84,12 +86,8 @@ export class AGSService {
             throw new Error('AGS line item not available for this session');
         }
         const token = await this.getAGSToken(session, 'https://purl.imsglobal.org/spec/lti-ags/scope/result.readonly');
-        // cleanse the results URL
-        // we cannot include a search / query param
-        const lineItemUrl = new URL(session.services.ags.lineitem);
-        lineItemUrl.search = '';
-        const resultsUrl = `${lineItemUrl.toString()}/results`;
-        const response = await fetch(resultsUrl, {
+        const resultsEndpoint = `${session.services.ags.lineitem}/results`;
+        const response = await ltiServiceFetch(resultsEndpoint, {
             method: 'GET',
             headers: {
                 Authorization: `Bearer ${token}`,
@@ -118,7 +116,7 @@ export class AGSService {
             throw new Error('AGS list line items not available for this session');
         }
         const token = await this.getAGSToken(session, 'https://purl.imsglobal.org/spec/lti-ags/scope/lineitem.readonly');
-        const response = await fetch(`${session.services.ags.lineitems}`, {
+        const response = await ltiServiceFetch(`${session.services.ags.lineitems}`, {
             method: 'GET',
             headers: {
                 Authorization: `Bearer ${token}`,
@@ -147,7 +145,7 @@ export class AGSService {
             throw new Error('AGS line item not available for this session');
         }
         const token = await this.getAGSToken(session, 'https://purl.imsglobal.org/spec/lti-ags/scope/lineitem.readonly');
-        const response = await fetch(`${session.services.ags.lineitem}`, {
+        const response = await ltiServiceFetch(`${session.services.ags.lineitem}`, {
             method: 'GET',
             headers: {
                 Authorization: `Bearer ${token}`,
@@ -182,7 +180,7 @@ export class AGSService {
             throw new Error('AGS create line items not available for this session');
         }
         const token = await this.getAGSToken(session, 'https://purl.imsglobal.org/spec/lti-ags/scope/lineitem');
-        const response = await fetch(`${session.services.ags.lineitems}`, {
+        const response = await ltiServiceFetch(`${session.services.ags.lineitems}`, {
             method: 'POST',
             headers: {
                 Authorization: `Bearer ${token}`,
@@ -216,7 +214,7 @@ export class AGSService {
             throw new Error('AGS line item not available for this session');
         }
         const token = await this.getAGSToken(session, 'https://purl.imsglobal.org/spec/lti-ags/scope/lineitem');
-        const response = await fetch(session.services.ags.lineitem, {
+        const response = await ltiServiceFetch(session.services.ags.lineitem, {
             method: 'PUT',
             headers: {
                 Authorization: `Bearer ${token}`,
@@ -245,7 +243,7 @@ export class AGSService {
             throw new Error('AGS line item not available for this session');
         }
         const token = await this.getAGSToken(session, 'https://purl.imsglobal.org/spec/lti-ags/scope/lineitem');
-        const response = await fetch(session.services.ags.lineitem, {
+        const response = await ltiServiceFetch(session.services.ags.lineitem, {
             method: 'DELETE',
             headers: {
                 Authorization: `Bearer ${token}`,

package/dist/services/deepLinking.service.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"deepLinking.service.d.ts","sourceRoot":"","sources":["../../src/services/deepLinking.service.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,MAAM,CAAC;AAEvC,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AAC9D,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,oDAAoD,CAAC;~~AAEjG~~;;;;;GAKG;AACH,qBAAa,kBAAkB;IAS3B,OAAO,CAAC,OAAO;IACf,OAAO,CAAC,MAAM;IACd,OAAO,CAAC,KAAK;IAVf;;;;;;OAMG;gBAEO,OAAO,EAAE,aAAa,EACtB,MAAM,EAAE,UAAU,EAClB,KAAK,SAAS;IAGxB;;;;;;;;;;;;;;;;;;;;OAoBG;IACG,cAAc,CAClB,OAAO,EAAE,UAAU,EACnB,YAAY,EAAE,sBAAsB,EAAE,GACrC,OAAO,CAAC,MAAM,CAAC;IAiBlB;;;;;;OAMG;YACW,oBAAoB;IA6BlC;;;;;;OAMG;IACH,OAAO,CAAC,sBAAsB;CAiB/B"}
1	+ {"version":3,"file":"deepLinking.service.d.ts","sourceRoot":"","sources":["../../src/services/deepLinking.service.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,MAAM,CAAC;AAEvC,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AAC9D,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,oDAAoD,CAAC;AAGjG;;;;;GAKG;AACH,qBAAa,kBAAkB;IAS3B,OAAO,CAAC,OAAO;IACf,OAAO,CAAC,MAAM;IACd,OAAO,CAAC,KAAK;IAVf;;;;;;OAMG;gBAEO,OAAO,EAAE,aAAa,EACtB,MAAM,EAAE,UAAU,EAClB,KAAK,SAAS;IAGxB;;;;;;;;;;;;;;;;;;;;OAoBG;IACG,cAAc,CAClB,OAAO,EAAE,UAAU,EACnB,YAAY,EAAE,sBAAsB,EAAE,GACrC,OAAO,CAAC,MAAM,CAAC;IAiBlB;;;;;;OAMG;YACW,oBAAoB;IA6BlC;;;;;;OAMG;IACH,OAAO,CAAC,sBAAsB;CAiB/B"}

package/dist/services/deepLinking.service.js CHANGED Viewed

@@ -1,4 +1,5 @@
 import { SignJWT } from 'jose';
+import { escapeHtml } from '../utils/htmlEscaping.js';
 /**
  * Deep Linking service for LTI 1.3.
  * Generates signed JWT responses containing selected content items to return to the platform.
@@ -97,8 +98,8 @@ export class DeepLinkingService {
   <title>Returning to platform...</title>
 </head>
 <body>
-  <form id="deepLinkingForm" method="POST" action="${returnUrl}">
-    <input type="hidden" name="JWT" value="${jwt}" />
+  <form id="deepLinkingForm" method="POST" action="${escapeHtml(returnUrl)}">
+    <input type="hidden" name="JWT" value="${escapeHtml(jwt)}" />
   </form>
   <script>
     document.getElementById('deepLinkingForm').submit();

package/dist/services/dynamicRegistration.service.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"dynamicRegistration.service.d.ts","sourceRoot":"","sources":["../../src/services/dynamicRegistration.service.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,MAAM,CAAC;AAEvC,OAAO,KAAK,EAAE,yBAAyB,EAAE,MAAM,4BAA4B,CAAC;AAC5E,OAAO,KAAK,EAAE,6BAA6B,EAAE,MAAM,gDAAgD,CAAC;AACpG,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AAC9D,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,uEAAuE,CAAC;AAErH,OAAO,EACL,KAAK,mBAAmB,EAEzB,MAAM,oEAAoE,CAAC;AAC5E,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,oEAAoE,CAAC;~~AAS9G~~;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2CG;AACH,qBAAa,0BAA0B;IASnC,OAAO,CAAC,OAAO;IACf,OAAO,CAAC,yBAAyB;IACjC,OAAO,CAAC,MAAM;IAVhB;;;;;;OAMG;gBAEO,OAAO,EAAE,UAAU,EACnB,yBAAyB,EAAE,yBAAyB,EACpD,MAAM,EAAE,UAAU;IAG5B;;;;;;;OAOG;IACG,0BAA0B,CAC9B,mBAAmB,EAAE,mBAAmB,GACvC,OAAO,CAAC,mBAAmB,CAAC;IAkC/B;;;;;;;;OAQG;IACG,2BAA2B,CAC/B,mBAAmB,EAAE,mBAAmB,EACxC,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,MAAM,CAAC;IAsClB;;;;;;;OAOG;IACG,2BAA2B,CAC/B,uBAAuB,EAAE,uBAAuB,GAC/C,OAAO,CAAC,MAAM,CAAC;IA2DlB;;;;;;OAMG;IACG,yBAAyB,CAC7B,YAAY,EAAE,MAAM,GACnB,OAAO,CAAC,6BAA6B,GAAG,SAAS,CAAC;IAQrD;;;;;;;OAOG;IACH,OAAO,CAAC,8BAA8B;IA2CtC;;;;;;;;;OASG;IACH,OAAO,CAAC,aAAa;IA0BrB;;;;;;OAMG;IACH,OAAO,CAAC,WAAW;IAoBnB;;;;;;;OAOG;IACH,OAAO,CAAC,wBAAwB;YA0ClB,mCAAmC;IAgBjD,OAAO,CAAC,0BAA0B;CAiDnC"}
1	+ {"version":3,"file":"dynamicRegistration.service.d.ts","sourceRoot":"","sources":["../../src/services/dynamicRegistration.service.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,MAAM,CAAC;AAEvC,OAAO,KAAK,EAAE,yBAAyB,EAAE,MAAM,4BAA4B,CAAC;AAC5E,OAAO,KAAK,EAAE,6BAA6B,EAAE,MAAM,gDAAgD,CAAC;AACpG,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AAC9D,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,uEAAuE,CAAC;AAErH,OAAO,EACL,KAAK,mBAAmB,EAEzB,MAAM,oEAAoE,CAAC;AAC5E,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,oEAAoE,CAAC;AAW9G;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2CG;AACH,qBAAa,0BAA0B;IASnC,OAAO,CAAC,OAAO;IACf,OAAO,CAAC,yBAAyB;IACjC,OAAO,CAAC,MAAM;IAVhB;;;;;;OAMG;gBAEO,OAAO,EAAE,UAAU,EACnB,yBAAyB,EAAE,yBAAyB,EACpD,MAAM,EAAE,UAAU;IAG5B;;;;;;;OAOG;IACG,0BAA0B,CAC9B,mBAAmB,EAAE,mBAAmB,GACvC,OAAO,CAAC,mBAAmB,CAAC;IAkC/B;;;;;;;;OAQG;IACG,2BAA2B,CAC/B,mBAAmB,EAAE,mBAAmB,EACxC,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,MAAM,CAAC;IAsClB;;;;;;;OAOG;IACG,2BAA2B,CAC/B,uBAAuB,EAAE,uBAAuB,GAC/C,OAAO,CAAC,MAAM,CAAC;IA2DlB;;;;;;OAMG;IACG,yBAAyB,CAC7B,YAAY,EAAE,MAAM,GACnB,OAAO,CAAC,6BAA6B,GAAG,SAAS,CAAC;IAQrD;;;;;;;OAOG;IACH,OAAO,CAAC,8BAA8B;IA2CtC;;;;;;;;;OASG;IACH,OAAO,CAAC,aAAa;IA0BrB;;;;;;OAMG;IACH,OAAO,CAAC,WAAW;IAoBnB;;;;;;;OAOG;IACH,OAAO,CAAC,wBAAwB;YA0ClB,mCAAmC;IAgBjD,OAAO,CAAC,0BAA0B;CAiDnC"}

package/dist/services/dynamicRegistration.service.js CHANGED Viewed

@@ -1,4 +1,6 @@
 import { openIDConfigurationSchema, } from '../schemas/lti13/dynamicRegistration/openIDConfiguration.schema.js';
+import { escapeHtml } from '../utils/htmlEscaping.js';
+import { ltiServiceFetch } from '../utils/ltiServiceFetch.js';
 import { handleMoodleDynamicRegistration, postRegistrationToMoodle, } from './dynamicRegistrationHandlers/moodle.js';
 /**
  * Service for handling LTI 1.3 dynamic registration workflows.
@@ -70,7 +72,7 @@ export class DynamicRegistrationService {
      */
     async fetchPlatformConfiguration(registrationRequest) {
         const { openid_configuration, registration_token } = registrationRequest;
-        const response = await fetch(openid_configuration, {
+        const response = await ltiServiceFetch(openid_configuration, {
             method: 'GET',
             headers: {
                 // only include registration token if it was provided
@@ -349,11 +351,11 @@ export class DynamicRegistrationService {
         <div class="card-body">
           <dl class="row">
             <dt class="col-sm-3">Tool Name:</dt>
-            <dd class="col-sm-9">${registrationResponse.client_name}</dd>
+            <dd class="col-sm-9">${escapeHtml(registrationResponse.client_name)}</dd>
             <dt class="col-sm-3">Client ID:</dt>
-            <dd class="col-sm-9"><code>${registrationResponse.client_id}</code></dd>
+            <dd class="col-sm-9"><code>${escapeHtml(registrationResponse.client_id)}</code></dd>
             <dt class="col-sm-3">Deployment ID:</dt>
-            <dd class="col-sm-9"><code>${registrationResponse['https://purl.imsglobal.org/spec/lti-tool-configuration'].deployment_id || 'default'}</code></dd>
+            <dd class="col-sm-9"><code>${escapeHtml(registrationResponse['https://purl.imsglobal.org/spec/lti-tool-configuration'].deployment_id || 'default')}</code></dd>
           </dl>
         </div>
       </div>

package/dist/services/dynamicRegistrationHandlers/moodle.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"moodle.d.ts","sourceRoot":"","sources":["../../../src/services/dynamicRegistrationHandlers/moodle.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,MAAM,CAAC;AAEvC,OAAO,EAEL,KAAK,mBAAmB,EACxB,KAAK,oBAAoB,EAC1B,MAAM,eAAe,CAAC;~~AAQvB~~;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,wBAAgB,+BAA+B,CAC7C,mBAAmB,EAAE,mBAAmB,EACxC,WAAW,EAAE,MAAM,EACnB,YAAY,EAAE,MAAM,GACnB,MAAM,CA2FR;AAED;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,wBAAsB,wBAAwB,CAC5C,oBAAoB,EAAE,MAAM,EAC5B,mBAAmB,EAAE,OAAO,EAC5B,MAAM,EAAE,UAAU,EAClB,iBAAiB,CAAC,EAAE,MAAM,GACzB,OAAO,CAAC,oBAAoB,CAAC,CAuB/B"}
1	+ {"version":3,"file":"moodle.d.ts","sourceRoot":"","sources":["../../../src/services/dynamicRegistrationHandlers/moodle.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,MAAM,CAAC;AAEvC,OAAO,EAEL,KAAK,mBAAmB,EACxB,KAAK,oBAAoB,EAC1B,MAAM,eAAe,CAAC;AAUvB;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,wBAAgB,+BAA+B,CAC7C,mBAAmB,EAAE,mBAAmB,EACxC,WAAW,EAAE,MAAM,EACnB,YAAY,EAAE,MAAM,GACnB,MAAM,CA2FR;AAED;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,wBAAsB,wBAAwB,CAC5C,oBAAoB,EAAE,MAAM,EAC5B,mBAAmB,EAAE,OAAO,EAC5B,MAAM,EAAE,UAAU,EAClB,iBAAiB,CAAC,EAAE,MAAM,GACzB,OAAO,CAAC,oBAAoB,CAAC,CAuB/B"}

package/dist/services/dynamicRegistrationHandlers/moodle.js CHANGED Viewed

@@ -1,5 +1,7 @@
 import { RegistrationResponseSchema, } from '../../schemas';
-import { getAGSScopes, hasAGSSupport, hasDeepLinkingSupport, hasNRPSSupport, } from '../../utils/ltiPlatformCapabilities';
+import { escapeHtml } from '../../utils/htmlEscaping.js';
+import { getAGSScopes, hasAGSSupport, hasDeepLinkingSupport, hasNRPSSupport, } from '../../utils/ltiPlatformCapabilities.js';
+import { ltiServiceFetch } from '../../utils/ltiServiceFetch.js';
 /**
  * Generates Moodle-specific dynamic registration form HTML with service selection options.
  * Creates a Bootstrap 5 form that detects available LTI Advantage services from the platform
@@ -38,7 +40,7 @@ export function handleMoodleDynamicRegistration(openIdConfiguration, currentPath
         <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.8/dist/css/bootstrap.min.css" rel="stylesheet" integrity="sha384-sRIl4kxILFvY47J16cr9ZwB07vP4J8+LH7qKQnuqkuIAvNWLzeN8tE5YBujZqJLB" crossorigin="anonymous">
       </head>
       <body class="container mt-4">
-        <form method="POST" action="${completeAction}">
+        <form method="POST" action="${escapeHtml(completeAction)}">
           <div class="mb-3">
             <label class="form-label">Available Services</label>
             ${hasAGS
@@ -98,7 +100,7 @@ export function handleMoodleDynamicRegistration(openIdConfiguration, currentPath
             </div>
           </div>
-          <input type="hidden" name="sessionToken" value="${sessionToken}">
+          <input type="hidden" name="sessionToken" value="${escapeHtml(sessionToken)}">
           <button type="submit" class="btn btn-primary">Register Tool</button>
         </form>
@@ -134,7 +136,7 @@ export async function postRegistrationToMoodle(registrationEndpoint, registratio
     if (registrationToken) {
         headers['Authorization'] = `Bearer ${registrationToken}`;
     }
-    const response = await fetch(registrationEndpoint, {
+    const response = await ltiServiceFetch(registrationEndpoint, {
         method: 'POST',
         headers,
         body: JSON.stringify(registrationPayload),

package/dist/services/nrps.service.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"nrps.service.d.ts","sourceRoot":"","sources":["../../src/services/nrps.service.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,MAAM,CAAC;AAEvC,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AAC9D,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;~~AAG9D~~,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAEvD;;;;;GAKG;AACH,qBAAa,WAAW;IASpB,OAAO,CAAC,YAAY;IACpB,OAAO,CAAC,OAAO;IACf,OAAO,CAAC,MAAM;IAVhB;;;;;;OAMG;gBAEO,YAAY,EAAE,YAAY,EAC1B,OAAO,EAAE,UAAU,EACnB,MAAM,EAAE,UAAU;IAG5B;;;;;;;;;;;;;;OAcG;IACG,UAAU,CAAC,OAAO,EAAE,UAAU,GAAG,OAAO,CAAC,QAAQ,CAAC;YAsB1C,YAAY;YAeZ,oBAAoB;CAanC"}
1	+ {"version":3,"file":"nrps.service.d.ts","sourceRoot":"","sources":["../../src/services/nrps.service.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,MAAM,CAAC;AAEvC,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AAC9D,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AAI9D,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAEvD;;;;;GAKG;AACH,qBAAa,WAAW;IASpB,OAAO,CAAC,YAAY;IACpB,OAAO,CAAC,OAAO;IACf,OAAO,CAAC,MAAM;IAVhB;;;;;;OAMG;gBAEO,YAAY,EAAE,YAAY,EAC1B,OAAO,EAAE,UAAU,EACnB,MAAM,EAAE,UAAU;IAG5B;;;;;;;;;;;;;;OAcG;IACG,UAAU,CAAC,OAAO,EAAE,UAAU,GAAG,OAAO,CAAC,QAAQ,CAAC;YAsB1C,YAAY;YAeZ,oBAAoB;CAanC"}

package/dist/services/nrps.service.js CHANGED Viewed

@@ -1,4 +1,5 @@
 import { getValidLaunchConfig } from '../utils/launchConfigValidation.js';
+import { ltiServiceFetch } from '../utils/ltiServiceFetch.js';
 /**
  * Names and Role Provisioning Services (NRPS) implementation for LTI 1.3.
  * Provides methods to retrieve course membership and user information from the platform.
@@ -41,7 +42,7 @@ export class NRPSService {
             throw new Error('NRPS not available for this session');
         }
         const token = await this.getNRPSToken(session, 'https://purl.imsglobal.org/spec/lti-nrps/scope/contextmembership.readonly');
-        const response = await fetch(session.services.nrps.membershipUrl, {
+        const response = await ltiServiceFetch(session.services.nrps.membershipUrl, {
             method: 'GET',
             headers: {
                 Authorization: `Bearer ${token}`,

package/dist/services/session.service.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"session.service.d.ts","sourceRoot":"","sources":["../../src/services/session.service.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AAC9D,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAE3D;;;;;;GAMG;AAEH,wBAAgB,aAAa,CAAC,eAAe,EAAE,eAAe,GAAG,UAAU,~~CAuG1E~~"}
1	+ {"version":3,"file":"session.service.d.ts","sourceRoot":"","sources":["../../src/services/session.service.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AAC9D,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAE3D;;;;;;GAMG;AAEH,wBAAgB,aAAa,CAAC,eAAe,EAAE,eAAe,GAAG,UAAU,CA4G1E"}

package/dist/services/session.service.js CHANGED Viewed

@@ -20,9 +20,14 @@ export function createSession(lti13JwtPayload) {
     const isAdmin = roles.some((role) => role.includes('Administrator'));
     const services = {};
     if (agsEndpoint) {
+        let lineItemUrl;
+        if (agsEndpoint.lineitem) {
+            const url = new URL(agsEndpoint.lineitem);
+            lineItemUrl = `${url.origin}${url.pathname}`; // quirk: moodle adds a url search param
+        }
         services.ags = {
-            lineitem: agsEndpoint.lineitem,
-            lineitems: agsEndpoint.lineitems,
+            lineitem: lineItemUrl,
+            lineitems: agsEndpoint.lineitems, // quirk: keep the moodle url search param
             scopes: agsEndpoint.scope || [],
         };
     }

package/dist/services/token.service.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"token.service.d.ts","sourceRoot":"","sources":["../../src/services/token.service.ts"],"names":[],"mappings":"~~AAEA~~;;;;;;;;GAQG;AACH,qBAAa,YAAY;IAQrB,OAAO,CAAC,OAAO;IACf,OAAO,CAAC,KAAK;IARf;;;;;OAKG;gBAEO,OAAO,EAAE,aAAa,EACtB,KAAK,SAAS;IAGxB;;;;;;OAMG;IACG,qBAAqB,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAiBhF;;;;;;;;OAQG;IACG,cAAc,CAClB,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,MAAM,EAChB,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,MAAM,CAAC;CA6BnB"}
1	+ {"version":3,"file":"token.service.d.ts","sourceRoot":"","sources":["../../src/services/token.service.ts"],"names":[],"mappings":"AAIA;;;;;;;;GAQG;AACH,qBAAa,YAAY;IAQrB,OAAO,CAAC,OAAO;IACf,OAAO,CAAC,KAAK;IARf;;;;;OAKG;gBAEO,OAAO,EAAE,aAAa,EACtB,KAAK,SAAS;IAGxB;;;;;;OAMG;IACG,qBAAqB,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAiBhF;;;;;;;;OAQG;IACG,cAAc,CAClB,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,MAAM,EAChB,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,MAAM,CAAC;CA6BnB"}

package/dist/services/token.service.js CHANGED Viewed

@@ -1,4 +1,5 @@
 import { SignJWT } from 'jose';
+import { ltiServiceFetch } from '../utils/ltiServiceFetch.js';
 /**
  * Service for handling OAuth2 client credentials flow and JWT client assertions.
  * Used for obtaining bearer tokens to access LTI Advantage services (AGS, NRPS, etc.).
@@ -55,7 +56,7 @@ export class TokenService {
      */
     async getBearerToken(clientId, tokenUrl, scope) {
         const assertion = await this.createClientAssertion(clientId, tokenUrl);
-        const response = await fetch(tokenUrl, {
+        const response = await ltiServiceFetch(tokenUrl, {
             method: 'POST',
             headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
             body: new URLSearchParams({

package/dist/utils/htmlEscaping.d.ts ADDED Viewed

@@ -0,0 +1,28 @@
+/**
+ * Escapes HTML special characters to prevent XSS attacks when inserting
+ * untrusted content into HTML.
+ *
+ * Converts the following characters to their HTML entity equivalents:
+ * - `&` → `&amp;`
+ * - `<` → `&lt;`
+ * - `>` → `&gt;`
+ * - `"` → `&quot;`
+ * - `'` → `&#39;`
+ *
+ * @param str - The string containing potentially unsafe HTML characters
+ * @returns The escaped string safe for insertion into HTML content or attributes
+ *
+ * @example
+ * ```typescript
+ * escapeHtml('<script>alert("XSS")</script>');
+ * // Returns: '&lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;'
+ *
+ * escapeHtml('Tom & Jerry');
+ * // Returns: 'Tom &amp; Jerry'
+ *
+ * escapeHtml('<div class="foo">');
+ * // Returns: '&lt;div class=&quot;foo&quot;&gt;'
+ * ```
+ */
+export declare function escapeHtml(str: string): string;
+//# sourceMappingURL=htmlEscaping.d.ts.map

package/dist/utils/htmlEscaping.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"htmlEscaping.d.ts","sourceRoot":"","sources":["../../src/utils/htmlEscaping.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,wBAAgB,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAO9C"}

package/dist/utils/htmlEscaping.js ADDED Viewed

@@ -0,0 +1,34 @@
+/**
+ * Escapes HTML special characters to prevent XSS attacks when inserting
+ * untrusted content into HTML.
+ *
+ * Converts the following characters to their HTML entity equivalents:
+ * - `&` → `&amp;`
+ * - `<` → `&lt;`
+ * - `>` → `&gt;`
+ * - `"` → `&quot;`
+ * - `'` → `&#39;`
+ *
+ * @param str - The string containing potentially unsafe HTML characters
+ * @returns The escaped string safe for insertion into HTML content or attributes
+ *
+ * @example
+ * ```typescript
+ * escapeHtml('<script>alert("XSS")</script>');
+ * // Returns: '&lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;'
+ *
+ * escapeHtml('Tom & Jerry');
+ * // Returns: 'Tom &amp; Jerry'
+ *
+ * escapeHtml('<div class="foo">');
+ * // Returns: '&lt;div class=&quot;foo&quot;&gt;'
+ * ```
+ */
+export function escapeHtml(str) {
+    return str
+        .replace(/&/g, '&amp;')
+        .replace(/</g, '&lt;')
+        .replace(/>/g, '&gt;')
+        .replace(/"/g, '&quot;')
+        .replace(/'/g, '&#39;');
+}

package/dist/utils/ltiServiceFetch.d.ts ADDED Viewed

@@ -0,0 +1,22 @@
+/**
+ * Wrapper around fetch() that automatically adds User-Agent header for LTI service requests.
+ *
+ * Canvas enforces User-Agent headers on all API requests starting January 2026.
+ * This wrapper ensures compliance while allowing user override if needed.
+ *
+ * @param url - Request URL (string or URL object)
+ * @param init - Fetch options (headers, method, body, etc.)
+ * @returns Promise resolving to Response
+ *
+ * @see https://community.canvaslms.com/t5/Releases-Production/Canvas-Release-Notes-2026-01-17/ta-p/616001
+ *
+ * @example
+ * ```typescript
+ * const response = await ltiServiceFetch('https://api.example.com/scores', {
+ *   method: 'POST',
+ *   headers: { 'Content-Type': 'application/json' },
+ *   body: JSON.stringify({ score: 95 })
+ * });
+ * */
+export declare function ltiServiceFetch(url: string | URL, init?: RequestInit): Promise<Response>;
+//# sourceMappingURL=ltiServiceFetch.d.ts.map

package/dist/utils/ltiServiceFetch.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"ltiServiceFetch.d.ts","sourceRoot":"","sources":["../../src/utils/ltiServiceFetch.ts"],"names":[],"mappings":"AAEA;;;;;;;;;;;;;;;;;;;KAmBK;AAEL,wBAAsB,eAAe,CACnC,GAAG,EAAE,MAAM,GAAG,GAAG,EACjB,IAAI,CAAC,EAAE,WAAW,GACjB,OAAO,CAAC,QAAQ,CAAC,CAenB"}

package/dist/utils/ltiServiceFetch.js ADDED Viewed

@@ -0,0 +1,35 @@
+import * as packageJson from '../../package.json';
+/**
+ * Wrapper around fetch() that automatically adds User-Agent header for LTI service requests.
+ *
+ * Canvas enforces User-Agent headers on all API requests starting January 2026.
+ * This wrapper ensures compliance while allowing user override if needed.
+ *
+ * @param url - Request URL (string or URL object)
+ * @param init - Fetch options (headers, method, body, etc.)
+ * @returns Promise resolving to Response
+ *
+ * @see https://community.canvaslms.com/t5/Releases-Production/Canvas-Release-Notes-2026-01-17/ta-p/616001
+ *
+ * @example
+ * ```typescript
+ * const response = await ltiServiceFetch('https://api.example.com/scores', {
+ *   method: 'POST',
+ *   headers: { 'Content-Type': 'application/json' },
+ *   body: JSON.stringify({ score: 95 })
+ * });
+ * */
+// oxlint-disable-next-line require-await
+export async function ltiServiceFetch(url, init) {
+    // Create Headers object from init.headers (handles all header input types)
+    const headers = new Headers(init?.headers);
+    // Add User-Agent only if not already present (allows override)
+    if (!headers.has('User-Agent')) {
+        headers.set('User-Agent', `lti-tool/${packageJson.version} (https://github.com/lti-tool/lti-tool)`);
+    }
+    // Call fetch with merged headers
+    return fetch(url, {
+        ...init,
+        headers,
+    });
+}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@lti-tool/core",
-  "version": "0.14.0",
+  "version": "1.0.0",
   "description": "LTI 1.3 implementation for Node.js",
   "keywords": [
     "lti",

package/src/services/ags.service.ts CHANGED Viewed

@@ -8,6 +8,7 @@ import type {
 } from '../schemas/lti13/ags/lineItem.schema.js';
 import type { ScoreSubmission } from '../schemas/lti13/ags/scoreSubmission.schema.js';
 import { getValidLaunchConfig } from '../utils/launchConfigValidation.js';
+import { ltiServiceFetch } from '../utils/ltiServiceFetch.js';
 import type { TokenService } from './token.service.js';
@@ -70,7 +71,8 @@ export class AGSService {
       gradingProgress: score.gradingProgress,
     };
-    const response = await fetch(`${session.services.ags.lineitem}/scores`, {
+    const agsScoreEndpoint = `${session.services.ags.lineitem}/scores`;
+    const response = await ltiServiceFetch(agsScoreEndpoint, {
       method: 'POST',
       headers: {
         Authorization: `Bearer ${token}`,
@@ -107,13 +109,9 @@ export class AGSService {
       'https://purl.imsglobal.org/spec/lti-ags/scope/result.readonly',
     );
-    // cleanse the results URL
-    // we cannot include a search / query param
-    const lineItemUrl = new URL(session.services.ags.lineitem);
-    lineItemUrl.search = '';
-    const resultsUrl = `${lineItemUrl.toString()}/results`;
+    const resultsEndpoint = `${session.services.ags.lineitem}/results`;
-    const response = await fetch(resultsUrl, {
+    const response = await ltiServiceFetch(resultsEndpoint, {
       method: 'GET',
       headers: {
         Authorization: `Bearer ${token}`,
@@ -149,7 +147,7 @@ export class AGSService {
       'https://purl.imsglobal.org/spec/lti-ags/scope/lineitem.readonly',
     );
-    const response = await fetch(`${session.services.ags.lineitems}`, {
+    const response = await ltiServiceFetch(`${session.services.ags.lineitems}`, {
       method: 'GET',
       headers: {
         Authorization: `Bearer ${token}`,
@@ -185,7 +183,7 @@ export class AGSService {
       'https://purl.imsglobal.org/spec/lti-ags/scope/lineitem.readonly',
     );
-    const response = await fetch(`${session.services.ags.lineitem}`, {
+    const response = await ltiServiceFetch(`${session.services.ags.lineitem}`, {
       method: 'GET',
       headers: {
         Authorization: `Bearer ${token}`,
@@ -230,7 +228,7 @@ export class AGSService {
       'https://purl.imsglobal.org/spec/lti-ags/scope/lineitem',
     );
-    const response = await fetch(`${session.services.ags.lineitems}`, {
+    const response = await ltiServiceFetch(`${session.services.ags.lineitems}`, {
       method: 'POST',
       headers: {
         Authorization: `Bearer ${token}`,
@@ -274,7 +272,7 @@ export class AGSService {
       'https://purl.imsglobal.org/spec/lti-ags/scope/lineitem',
     );
-    const response = await fetch(session.services.ags.lineitem, {
+    const response = await ltiServiceFetch(session.services.ags.lineitem, {
       method: 'PUT',
       headers: {
         Authorization: `Bearer ${token}`,
@@ -310,7 +308,7 @@ export class AGSService {
       'https://purl.imsglobal.org/spec/lti-ags/scope/lineitem',
     );
-    const response = await fetch(session.services.ags.lineitem, {
+    const response = await ltiServiceFetch(session.services.ags.lineitem, {
       method: 'DELETE',
       headers: {
         Authorization: `Bearer ${token}`,

package/src/services/deepLinking.service.ts CHANGED Viewed

@@ -3,6 +3,7 @@ import type { BaseLogger } from 'pino';
 import type { LTISession } from '../interfaces/ltiSession.js';
 import type { DeepLinkingContentItem } from '../schemas/lti13/deepLinking/contentItem.schema.js';
+import { escapeHtml } from '../utils/htmlEscaping.js';
 /**
  * Deep Linking service for LTI 1.3.
@@ -116,8 +117,8 @@ export class DeepLinkingService {
   <title>Returning to platform...</title>
 </head>
 <body>
-  <form id="deepLinkingForm" method="POST" action="${returnUrl}">
-    <input type="hidden" name="JWT" value="${jwt}" />
+  <form id="deepLinkingForm" method="POST" action="${escapeHtml(returnUrl)}">
+    <input type="hidden" name="JWT" value="${escapeHtml(jwt)}" />
   </form>
   <script>
     document.getElementById('deepLinkingForm').submit();

package/src/services/dynamicRegistration.service.ts CHANGED Viewed

@@ -12,6 +12,8 @@ import {
 import type { RegistrationRequest } from '../schemas/lti13/dynamicRegistration/registrationRequest.schema.js';
 import type { RegistrationResponse } from '../schemas/lti13/dynamicRegistration/registrationResponse.schema.js';
 import type { ToolRegistrationPayload } from '../schemas/lti13/dynamicRegistration/toolRegistrationPayload.schema.js';
+import { escapeHtml } from '../utils/htmlEscaping.js';
+import { ltiServiceFetch } from '../utils/ltiServiceFetch.js';
 import {
   handleMoodleDynamicRegistration,
@@ -88,7 +90,7 @@ export class DynamicRegistrationService {
     registrationRequest: RegistrationRequest,
   ): Promise<OpenIDConfiguration> {
     const { openid_configuration, registration_token } = registrationRequest;
-    const response = await fetch(openid_configuration, {
+    const response = await ltiServiceFetch(openid_configuration, {
       method: 'GET',
       headers: {
         // only include registration token if it was provided
@@ -461,11 +463,11 @@ export class DynamicRegistrationService {
         <div class="card-body">
           <dl class="row">
             <dt class="col-sm-3">Tool Name:</dt>
-            <dd class="col-sm-9">${registrationResponse.client_name}</dd>
+            <dd class="col-sm-9">${escapeHtml(registrationResponse.client_name)}</dd>
             <dt class="col-sm-3">Client ID:</dt>
-            <dd class="col-sm-9"><code>${registrationResponse.client_id}</code></dd>
+            <dd class="col-sm-9"><code>${escapeHtml(registrationResponse.client_id)}</code></dd>
             <dt class="col-sm-3">Deployment ID:</dt>
-            <dd class="col-sm-9"><code>${registrationResponse['https://purl.imsglobal.org/spec/lti-tool-configuration'].deployment_id || 'default'}</code></dd>
+            <dd class="col-sm-9"><code>${escapeHtml(registrationResponse['https://purl.imsglobal.org/spec/lti-tool-configuration'].deployment_id || 'default')}</code></dd>
           </dl>
         </div>
       </div>

package/src/services/dynamicRegistrationHandlers/moodle.ts CHANGED Viewed

@@ -5,12 +5,14 @@ import {
   type OpenIDConfiguration,
   type RegistrationResponse,
 } from '../../schemas';
+import { escapeHtml } from '../../utils/htmlEscaping.js';
 import {
   getAGSScopes,
   hasAGSSupport,
   hasDeepLinkingSupport,
   hasNRPSSupport,
-} from '../../utils/ltiPlatformCapabilities';
+} from '../../utils/ltiPlatformCapabilities.js';
+import { ltiServiceFetch } from '../../utils/ltiServiceFetch.js';
 /**
  * Generates Moodle-specific dynamic registration form HTML with service selection options.
@@ -55,7 +57,7 @@ export function handleMoodleDynamicRegistration(
         <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.8/dist/css/bootstrap.min.css" rel="stylesheet" integrity="sha384-sRIl4kxILFvY47J16cr9ZwB07vP4J8+LH7qKQnuqkuIAvNWLzeN8tE5YBujZqJLB" crossorigin="anonymous">
       </head>
       <body class="container mt-4">
-        <form method="POST" action="${completeAction}">
+        <form method="POST" action="${escapeHtml(completeAction)}">
           <div class="mb-3">
             <label class="form-label">Available Services</label>
             ${
@@ -121,7 +123,7 @@ export function handleMoodleDynamicRegistration(
             </div>
           </div>
-          <input type="hidden" name="sessionToken" value="${sessionToken}">
+          <input type="hidden" name="sessionToken" value="${escapeHtml(sessionToken)}">
           <button type="submit" class="btn btn-primary">Register Tool</button>
         </form>
@@ -164,7 +166,7 @@ export async function postRegistrationToMoodle(
     headers['Authorization'] = `Bearer ${registrationToken}`;
   }
-  const response = await fetch(registrationEndpoint, {
+  const response = await ltiServiceFetch(registrationEndpoint, {
     method: 'POST',
     headers,
     body: JSON.stringify(registrationPayload),

package/src/services/nrps.service.ts CHANGED Viewed

@@ -3,6 +3,7 @@ import type { BaseLogger } from 'pino';
 import type { LTISession } from '../interfaces/ltiSession.js';
 import type { LTIStorage } from '../interfaces/ltiStorage.js';
 import { getValidLaunchConfig } from '../utils/launchConfigValidation.js';
+import { ltiServiceFetch } from '../utils/ltiServiceFetch.js';
 import type { TokenService } from './token.service.js';
@@ -51,7 +52,7 @@ export class NRPSService {
       'https://purl.imsglobal.org/spec/lti-nrps/scope/contextmembership.readonly',
     );
-    const response = await fetch(session.services.nrps.membershipUrl, {
+    const response = await ltiServiceFetch(session.services.nrps.membershipUrl, {
       method: 'GET',
       headers: {
         Authorization: `Bearer ${token}`,

package/src/services/session.service.ts CHANGED Viewed

@@ -31,9 +31,14 @@ export function createSession(lti13JwtPayload: LTI13JwtPayload): LTISession {
   const services: Record<string, unknown> = {};
   if (agsEndpoint) {
+    let lineItemUrl: string | undefined;
+    if (agsEndpoint.lineitem) {
+      const url = new URL(agsEndpoint.lineitem);
+      lineItemUrl = `${url.origin}${url.pathname}`; // quirk: moodle adds a url search param
+    }
     services.ags = {
-      lineitem: agsEndpoint.lineitem,
-      lineitems: agsEndpoint.lineitems,
+      lineitem: lineItemUrl,
+      lineitems: agsEndpoint.lineitems, // quirk: keep the moodle url search param
       scopes: agsEndpoint.scope || [],
     };
   }

package/src/services/token.service.ts CHANGED Viewed

@@ -1,5 +1,7 @@
 import { SignJWT } from 'jose';
+import { ltiServiceFetch } from '../utils/ltiServiceFetch.js';
 /**
  * Service for handling OAuth2 client credentials flow and JWT client assertions.
  * Used for obtaining bearer tokens to access LTI Advantage services (AGS, NRPS, etc.).
@@ -61,7 +63,7 @@ export class TokenService {
   ): Promise<string> {
     const assertion = await this.createClientAssertion(clientId, tokenUrl);
-    const response = await fetch(tokenUrl, {
+    const response = await ltiServiceFetch(tokenUrl, {
       method: 'POST',
       headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
       body: new URLSearchParams({

package/src/utils/htmlEscaping.ts ADDED Viewed

@@ -0,0 +1,34 @@
+/**
+ * Escapes HTML special characters to prevent XSS attacks when inserting
+ * untrusted content into HTML.
+ *
+ * Converts the following characters to their HTML entity equivalents:
+ * - `&` → `&amp;`
+ * - `<` → `&lt;`
+ * - `>` → `&gt;`
+ * - `"` → `&quot;`
+ * - `'` → `&#39;`
+ *
+ * @param str - The string containing potentially unsafe HTML characters
+ * @returns The escaped string safe for insertion into HTML content or attributes
+ *
+ * @example
+ * ```typescript
+ * escapeHtml('<script>alert("XSS")</script>');
+ * // Returns: '&lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;'
+ *
+ * escapeHtml('Tom & Jerry');
+ * // Returns: 'Tom &amp; Jerry'
+ *
+ * escapeHtml('<div class="foo">');
+ * // Returns: '&lt;div class=&quot;foo&quot;&gt;'
+ * ```
+ */
+export function escapeHtml(str: string): string {
+  return str
+    .replace(/&/g, '&amp;')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;')
+    .replace(/"/g, '&quot;')
+    .replace(/'/g, '&#39;');
+}

package/src/utils/ltiServiceFetch.ts ADDED Viewed

@@ -0,0 +1,42 @@
+import * as packageJson from '../../package.json';
+/**
+ * Wrapper around fetch() that automatically adds User-Agent header for LTI service requests.
+ *
+ * Canvas enforces User-Agent headers on all API requests starting January 2026.
+ * This wrapper ensures compliance while allowing user override if needed.
+ *
+ * @param url - Request URL (string or URL object)
+ * @param init - Fetch options (headers, method, body, etc.)
+ * @returns Promise resolving to Response
+ *
+ * @see https://community.canvaslms.com/t5/Releases-Production/Canvas-Release-Notes-2026-01-17/ta-p/616001
+ *
+ * @example
+ * ```typescript
+ * const response = await ltiServiceFetch('https://api.example.com/scores', {
+ *   method: 'POST',
+ *   headers: { 'Content-Type': 'application/json' },
+ *   body: JSON.stringify({ score: 95 })
+ * });
+ * */
+// oxlint-disable-next-line require-await
+export async function ltiServiceFetch(
+  url: string | URL,
+  init?: RequestInit,
+): Promise<Response> {
+  // Create Headers object from init.headers (handles all header input types)
+  const headers = new Headers(init?.headers);
+  // Add User-Agent only if not already present (allows override)
+  if (!headers.has('User-Agent')) {
+    headers.set(
+      'User-Agent',
+      `lti-tool/${packageJson.version} (https://github.com/lti-tool/lti-tool)`,
+    );
+  }
+  // Call fetch with merged headers
+  return fetch(url, {
+    ...init,
+    headers,
+  });
+}