@lti-tool/core 0.14.1 → 1.0.0

package/CHANGELOG.md

@@ -1,5 +1,16 @@
 # @lti-tool/core
 
+## 1.0.0
+
+### Major Changes
+
+- 3bcba99: First stable release of LTI 1.3 toolkit for Node.js.
+  - Add ltiServiceFetch utility with automatic User-Agent injection for Canvas API compliance (effective January 2026)
+  - Add HTML escaping utility for XSS prevention in dynamic registration flows
+  - Complete LTI 1.3 specification: OIDC authentication, AGS, NRPS, Deep Linking, Dynamic Registration
+  - Serverless-native design optimized for AWS Lambda and Cloudflare Workers
+  - Cookie-free session management for iframe compatibility
+
 ## 0.14.1
 
 ### Patch Changes

package/dist/services/ags.service.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ags.service.d.ts","sourceRoot":"","sources":["../../src/services/ags.service.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,MAAM,CAAC;AAEvC,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AAC9D,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AAC9D,OAAO,KAAK,EACV,cAAc,EACd,cAAc,EACf,MAAM,yCAAyC,CAAC;AACjD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,gDAAgD,CAAC;AAGtF,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAEvD;;;;;GAKG;AACH,qBAAa,UAAU;IASnB,OAAO,CAAC,YAAY;IACpB,OAAO,CAAC,OAAO;IACf,OAAO,CAAC,MAAM;IAVhB;;;;;;OAMG;gBAEO,YAAY,EAAE,YAAY,EAC1B,OAAO,EAAE,UAAU,EACnB,MAAM,EAAE,UAAU;IAG5B;;;;;;;;;;;;;;;;;;OAkBG;IACG,WAAW,CAAC,OAAO,EAAE,UAAU,EAAE,KAAK,EAAE,eAAe,GAAG,OAAO,CAAC,QAAQ,CAAC;IAkCjF;;;;;;;;;;;;;OAaG;IACG,SAAS,CAAC,OAAO,EAAE,UAAU,GAAG,OAAO,CAAC,QAAQ,CAAC;IAwBvD;;;;;;;;;;;;;OAaG;IACG,aAAa,CAAC,OAAO,EAAE,UAAU,GAAG,OAAO,CAAC,QAAQ,CAAC;IAsB3D;;;;;;;;;;;;;OAaG;IACG,WAAW,CAAC,OAAO,EAAE,UAAU,GAAG,OAAO,CAAC,QAAQ,CAAC;IAsBzD;;;;;;;;;;;;;;;;;;;OAmBG;IACG,cAAc,CAClB,OAAO,EAAE,UAAU,EACnB,cAAc,EAAE,cAAc,GAC7B,OAAO,CAAC,QAAQ,CAAC;IAuBpB;;;;;;;;;;;;;;;;;OAiBG;IACG,cAAc,CAClB,OAAO,EAAE,UAAU,EACnB,cAAc,EAAE,cAAc,GAC7B,OAAO,CAAC,QAAQ,CAAC;IAuBpB;;;;;;;;;;;;OAYG;IACG,cAAc,CAAC,OAAO,EAAE,UAAU,GAAG,OAAO,CAAC,QAAQ,CAAC;YAqB9C,WAAW;YAeX,mBAAmB;CAalC"}
+{"version":3,"file":"ags.service.d.ts","sourceRoot":"","sources":["../../src/services/ags.service.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,MAAM,CAAC;AAEvC,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AAC9D,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AAC9D,OAAO,KAAK,EACV,cAAc,EACd,cAAc,EACf,MAAM,yCAAyC,CAAC;AACjD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,gDAAgD,CAAC;AAItF,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAEvD;;;;;GAKG;AACH,qBAAa,UAAU;IASnB,OAAO,CAAC,YAAY;IACpB,OAAO,CAAC,OAAO;IACf,OAAO,CAAC,MAAM;IAVhB;;;;;;OAMG;gBAEO,YAAY,EAAE,YAAY,EAC1B,OAAO,EAAE,UAAU,EACnB,MAAM,EAAE,UAAU;IAG5B;;;;;;;;;;;;;;;;;;OAkBG;IACG,WAAW,CAAC,OAAO,EAAE,UAAU,EAAE,KAAK,EAAE,eAAe,GAAG,OAAO,CAAC,QAAQ,CAAC;IAkCjF;;;;;;;;;;;;;OAaG;IACG,SAAS,CAAC,OAAO,EAAE,UAAU,GAAG,OAAO,CAAC,QAAQ,CAAC;IAwBvD;;;;;;;;;;;;;OAaG;IACG,aAAa,CAAC,OAAO,EAAE,UAAU,GAAG,OAAO,CAAC,QAAQ,CAAC;IAsB3D;;;;;;;;;;;;;OAaG;IACG,WAAW,CAAC,OAAO,EAAE,UAAU,GAAG,OAAO,CAAC,QAAQ,CAAC;IAsBzD;;;;;;;;;;;;;;;;;;;OAmBG;IACG,cAAc,CAClB,OAAO,EAAE,UAAU,EACnB,cAAc,EAAE,cAAc,GAC7B,OAAO,CAAC,QAAQ,CAAC;IAuBpB;;;;;;;;;;;;;;;;;OAiBG;IACG,cAAc,CAClB,OAAO,EAAE,UAAU,EACnB,cAAc,EAAE,cAAc,GAC7B,OAAO,CAAC,QAAQ,CAAC;IAuBpB;;;;;;;;;;;;OAYG;IACG,cAAc,CAAC,OAAO,EAAE,UAAU,GAAG,OAAO,CAAC,QAAQ,CAAC;YAqB9C,WAAW;YAeX,mBAAmB;CAalC"}

package/dist/services/ags.service.js

@@ -1,4 +1,5 @@
 import { getValidLaunchConfig } from '../utils/launchConfigValidation.js';
+import { ltiServiceFetch } from '../utils/ltiServiceFetch.js';
 /**
  * Assignment and Grade Services (AGS) implementation for LTI 1.3.
  * Provides methods to submit grades and scores back to the platform.
@@ -55,7 +56,7 @@ export class AGSService {
             gradingProgress: score.gradingProgress,
         };
         const agsScoreEndpoint = `${session.services.ags.lineitem}/scores`;
-        const response = await fetch(agsScoreEndpoint, {
+        const response = await ltiServiceFetch(agsScoreEndpoint, {
             method: 'POST',
             headers: {
                 Authorization: `Bearer ${token}`,
@@ -86,7 +87,7 @@ export class AGSService {
         }
         const token = await this.getAGSToken(session, 'https://purl.imsglobal.org/spec/lti-ags/scope/result.readonly');
         const resultsEndpoint = `${session.services.ags.lineitem}/results`;
-        const response = await fetch(resultsEndpoint, {
+        const response = await ltiServiceFetch(resultsEndpoint, {
             method: 'GET',
             headers: {
                 Authorization: `Bearer ${token}`,
@@ -115,7 +116,7 @@ export class AGSService {
             throw new Error('AGS list line items not available for this session');
         }
         const token = await this.getAGSToken(session, 'https://purl.imsglobal.org/spec/lti-ags/scope/lineitem.readonly');
-        const response = await fetch(`${session.services.ags.lineitems}`, {
+        const response = await ltiServiceFetch(`${session.services.ags.lineitems}`, {
             method: 'GET',
             headers: {
                 Authorization: `Bearer ${token}`,
@@ -144,7 +145,7 @@ export class AGSService {
             throw new Error('AGS line item not available for this session');
         }
         const token = await this.getAGSToken(session, 'https://purl.imsglobal.org/spec/lti-ags/scope/lineitem.readonly');
-        const response = await fetch(`${session.services.ags.lineitem}`, {
+        const response = await ltiServiceFetch(`${session.services.ags.lineitem}`, {
             method: 'GET',
             headers: {
                 Authorization: `Bearer ${token}`,
@@ -179,7 +180,7 @@ export class AGSService {
             throw new Error('AGS create line items not available for this session');
         }
         const token = await this.getAGSToken(session, 'https://purl.imsglobal.org/spec/lti-ags/scope/lineitem');
-        const response = await fetch(`${session.services.ags.lineitems}`, {
+        const response = await ltiServiceFetch(`${session.services.ags.lineitems}`, {
             method: 'POST',
             headers: {
                 Authorization: `Bearer ${token}`,
@@ -213,7 +214,7 @@ export class AGSService {
             throw new Error('AGS line item not available for this session');
         }
         const token = await this.getAGSToken(session, 'https://purl.imsglobal.org/spec/lti-ags/scope/lineitem');
-        const response = await fetch(session.services.ags.lineitem, {
+        const response = await ltiServiceFetch(session.services.ags.lineitem, {
             method: 'PUT',
             headers: {
                 Authorization: `Bearer ${token}`,
@@ -242,7 +243,7 @@ export class AGSService {
             throw new Error('AGS line item not available for this session');
         }
         const token = await this.getAGSToken(session, 'https://purl.imsglobal.org/spec/lti-ags/scope/lineitem');
-        const response = await fetch(session.services.ags.lineitem, {
+        const response = await ltiServiceFetch(session.services.ags.lineitem, {
             method: 'DELETE',
             headers: {
                 Authorization: `Bearer ${token}`,

package/dist/services/deepLinking.service.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"deepLinking.service.d.ts","sourceRoot":"","sources":["../../src/services/deepLinking.service.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,MAAM,CAAC;AAEvC,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AAC9D,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,oDAAoD,CAAC;AAEjG;;;;;GAKG;AACH,qBAAa,kBAAkB;IAS3B,OAAO,CAAC,OAAO;IACf,OAAO,CAAC,MAAM;IACd,OAAO,CAAC,KAAK;IAVf;;;;;;OAMG;gBAEO,OAAO,EAAE,aAAa,EACtB,MAAM,EAAE,UAAU,EAClB,KAAK,SAAS;IAGxB;;;;;;;;;;;;;;;;;;;;OAoBG;IACG,cAAc,CAClB,OAAO,EAAE,UAAU,EACnB,YAAY,EAAE,sBAAsB,EAAE,GACrC,OAAO,CAAC,MAAM,CAAC;IAiBlB;;;;;;OAMG;YACW,oBAAoB;IA6BlC;;;;;;OAMG;IACH,OAAO,CAAC,sBAAsB;CAiB/B"}
+{"version":3,"file":"deepLinking.service.d.ts","sourceRoot":"","sources":["../../src/services/deepLinking.service.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,MAAM,CAAC;AAEvC,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AAC9D,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,oDAAoD,CAAC;AAGjG;;;;;GAKG;AACH,qBAAa,kBAAkB;IAS3B,OAAO,CAAC,OAAO;IACf,OAAO,CAAC,MAAM;IACd,OAAO,CAAC,KAAK;IAVf;;;;;;OAMG;gBAEO,OAAO,EAAE,aAAa,EACtB,MAAM,EAAE,UAAU,EAClB,KAAK,SAAS;IAGxB;;;;;;;;;;;;;;;;;;;;OAoBG;IACG,cAAc,CAClB,OAAO,EAAE,UAAU,EACnB,YAAY,EAAE,sBAAsB,EAAE,GACrC,OAAO,CAAC,MAAM,CAAC;IAiBlB;;;;;;OAMG;YACW,oBAAoB;IA6BlC;;;;;;OAMG;IACH,OAAO,CAAC,sBAAsB;CAiB/B"}

package/dist/services/deepLinking.service.js

@@ -1,4 +1,5 @@
 import { SignJWT } from 'jose';
+import { escapeHtml } from '../utils/htmlEscaping.js';
 /**
  * Deep Linking service for LTI 1.3.
  * Generates signed JWT responses containing selected content items to return to the platform.
@@ -97,8 +98,8 @@ export class DeepLinkingService {
   <title>Returning to platform...</title>
 </head>
 <body>
-  <form id="deepLinkingForm" method="POST" action="${returnUrl}">
-    <input type="hidden" name="JWT" value="${jwt}" />
+  <form id="deepLinkingForm" method="POST" action="${escapeHtml(returnUrl)}">
+    <input type="hidden" name="JWT" value="${escapeHtml(jwt)}" />
   </form>
   <script>
     document.getElementById('deepLinkingForm').submit();

package/dist/services/dynamicRegistration.service.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"dynamicRegistration.service.d.ts","sourceRoot":"","sources":["../../src/services/dynamicRegistration.service.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,MAAM,CAAC;AAEvC,OAAO,KAAK,EAAE,yBAAyB,EAAE,MAAM,4BAA4B,CAAC;AAC5E,OAAO,KAAK,EAAE,6BAA6B,EAAE,MAAM,gDAAgD,CAAC;AACpG,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AAC9D,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,uEAAuE,CAAC;AAErH,OAAO,EACL,KAAK,mBAAmB,EAEzB,MAAM,oEAAoE,CAAC;AAC5E,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,oEAAoE,CAAC;AAS9G;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2CG;AACH,qBAAa,0BAA0B;IASnC,OAAO,CAAC,OAAO;IACf,OAAO,CAAC,yBAAyB;IACjC,OAAO,CAAC,MAAM;IAVhB;;;;;;OAMG;gBAEO,OAAO,EAAE,UAAU,EACnB,yBAAyB,EAAE,yBAAyB,EACpD,MAAM,EAAE,UAAU;IAG5B;;;;;;;OAOG;IACG,0BAA0B,CAC9B,mBAAmB,EAAE,mBAAmB,GACvC,OAAO,CAAC,mBAAmB,CAAC;IAkC/B;;;;;;;;OAQG;IACG,2BAA2B,CAC/B,mBAAmB,EAAE,mBAAmB,EACxC,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,MAAM,CAAC;IAsClB;;;;;;;OAOG;IACG,2BAA2B,CAC/B,uBAAuB,EAAE,uBAAuB,GAC/C,OAAO,CAAC,MAAM,CAAC;IA2DlB;;;;;;OAMG;IACG,yBAAyB,CAC7B,YAAY,EAAE,MAAM,GACnB,OAAO,CAAC,6BAA6B,GAAG,SAAS,CAAC;IAQrD;;;;;;;OAOG;IACH,OAAO,CAAC,8BAA8B;IA2CtC;;;;;;;;;OASG;IACH,OAAO,CAAC,aAAa;IA0BrB;;;;;;OAMG;IACH,OAAO,CAAC,WAAW;IAoBnB;;;;;;;OAOG;IACH,OAAO,CAAC,wBAAwB;YA0ClB,mCAAmC;IAgBjD,OAAO,CAAC,0BAA0B;CAiDnC"}
+{"version":3,"file":"dynamicRegistration.service.d.ts","sourceRoot":"","sources":["../../src/services/dynamicRegistration.service.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,MAAM,CAAC;AAEvC,OAAO,KAAK,EAAE,yBAAyB,EAAE,MAAM,4BAA4B,CAAC;AAC5E,OAAO,KAAK,EAAE,6BAA6B,EAAE,MAAM,gDAAgD,CAAC;AACpG,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AAC9D,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,uEAAuE,CAAC;AAErH,OAAO,EACL,KAAK,mBAAmB,EAEzB,MAAM,oEAAoE,CAAC;AAC5E,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,oEAAoE,CAAC;AAW9G;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2CG;AACH,qBAAa,0BAA0B;IASnC,OAAO,CAAC,OAAO;IACf,OAAO,CAAC,yBAAyB;IACjC,OAAO,CAAC,MAAM;IAVhB;;;;;;OAMG;gBAEO,OAAO,EAAE,UAAU,EACnB,yBAAyB,EAAE,yBAAyB,EACpD,MAAM,EAAE,UAAU;IAG5B;;;;;;;OAOG;IACG,0BAA0B,CAC9B,mBAAmB,EAAE,mBAAmB,GACvC,OAAO,CAAC,mBAAmB,CAAC;IAkC/B;;;;;;;;OAQG;IACG,2BAA2B,CAC/B,mBAAmB,EAAE,mBAAmB,EACxC,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,MAAM,CAAC;IAsClB;;;;;;;OAOG;IACG,2BAA2B,CAC/B,uBAAuB,EAAE,uBAAuB,GAC/C,OAAO,CAAC,MAAM,CAAC;IA2DlB;;;;;;OAMG;IACG,yBAAyB,CAC7B,YAAY,EAAE,MAAM,GACnB,OAAO,CAAC,6BAA6B,GAAG,SAAS,CAAC;IAQrD;;;;;;;OAOG;IACH,OAAO,CAAC,8BAA8B;IA2CtC;;;;;;;;;OASG;IACH,OAAO,CAAC,aAAa;IA0BrB;;;;;;OAMG;IACH,OAAO,CAAC,WAAW;IAoBnB;;;;;;;OAOG;IACH,OAAO,CAAC,wBAAwB;YA0ClB,mCAAmC;IAgBjD,OAAO,CAAC,0BAA0B;CAiDnC"}

package/dist/services/dynamicRegistration.service.js

@@ -1,4 +1,6 @@
 import { openIDConfigurationSchema, } from '../schemas/lti13/dynamicRegistration/openIDConfiguration.schema.js';
+import { escapeHtml } from '../utils/htmlEscaping.js';
+import { ltiServiceFetch } from '../utils/ltiServiceFetch.js';
 import { handleMoodleDynamicRegistration, postRegistrationToMoodle, } from './dynamicRegistrationHandlers/moodle.js';
 /**
  * Service for handling LTI 1.3 dynamic registration workflows.
@@ -70,7 +72,7 @@ export class DynamicRegistrationService {
      */
     async fetchPlatformConfiguration(registrationRequest) {
         const { openid_configuration, registration_token } = registrationRequest;
-        const response = await fetch(openid_configuration, {
+        const response = await ltiServiceFetch(openid_configuration, {
             method: 'GET',
             headers: {
                 // only include registration token if it was provided
@@ -349,11 +351,11 @@ export class DynamicRegistrationService {
         <div class="card-body">
           <dl class="row">
             <dt class="col-sm-3">Tool Name:</dt>
-            <dd class="col-sm-9">${registrationResponse.client_name}</dd>
+            <dd class="col-sm-9">${escapeHtml(registrationResponse.client_name)}</dd>
             <dt class="col-sm-3">Client ID:</dt>
-            <dd class="col-sm-9"><code>${registrationResponse.client_id}</code></dd>
+            <dd class="col-sm-9"><code>${escapeHtml(registrationResponse.client_id)}</code></dd>
             <dt class="col-sm-3">Deployment ID:</dt>
-            <dd class="col-sm-9"><code>${registrationResponse['https://purl.imsglobal.org/spec/lti-tool-configuration'].deployment_id || 'default'}</code></dd>
+            <dd class="col-sm-9"><code>${escapeHtml(registrationResponse['https://purl.imsglobal.org/spec/lti-tool-configuration'].deployment_id || 'default')}</code></dd>
           </dl>
         </div>
       </div>

package/dist/services/dynamicRegistrationHandlers/moodle.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"moodle.d.ts","sourceRoot":"","sources":["../../../src/services/dynamicRegistrationHandlers/moodle.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,MAAM,CAAC;AAEvC,OAAO,EAEL,KAAK,mBAAmB,EACxB,KAAK,oBAAoB,EAC1B,MAAM,eAAe,CAAC;AAQvB;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,wBAAgB,+BAA+B,CAC7C,mBAAmB,EAAE,mBAAmB,EACxC,WAAW,EAAE,MAAM,EACnB,YAAY,EAAE,MAAM,GACnB,MAAM,CA2FR;AAED;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,wBAAsB,wBAAwB,CAC5C,oBAAoB,EAAE,MAAM,EAC5B,mBAAmB,EAAE,OAAO,EAC5B,MAAM,EAAE,UAAU,EAClB,iBAAiB,CAAC,EAAE,MAAM,GACzB,OAAO,CAAC,oBAAoB,CAAC,CAuB/B"}
+{"version":3,"file":"moodle.d.ts","sourceRoot":"","sources":["../../../src/services/dynamicRegistrationHandlers/moodle.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,MAAM,CAAC;AAEvC,OAAO,EAEL,KAAK,mBAAmB,EACxB,KAAK,oBAAoB,EAC1B,MAAM,eAAe,CAAC;AAUvB;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,wBAAgB,+BAA+B,CAC7C,mBAAmB,EAAE,mBAAmB,EACxC,WAAW,EAAE,MAAM,EACnB,YAAY,EAAE,MAAM,GACnB,MAAM,CA2FR;AAED;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,wBAAsB,wBAAwB,CAC5C,oBAAoB,EAAE,MAAM,EAC5B,mBAAmB,EAAE,OAAO,EAC5B,MAAM,EAAE,UAAU,EAClB,iBAAiB,CAAC,EAAE,MAAM,GACzB,OAAO,CAAC,oBAAoB,CAAC,CAuB/B"}

package/dist/services/dynamicRegistrationHandlers/moodle.js

@@ -1,5 +1,7 @@
 import { RegistrationResponseSchema, } from '../../schemas';
-import { getAGSScopes, hasAGSSupport, hasDeepLinkingSupport, hasNRPSSupport, } from '../../utils/ltiPlatformCapabilities';
+import { escapeHtml } from '../../utils/htmlEscaping.js';
+import { getAGSScopes, hasAGSSupport, hasDeepLinkingSupport, hasNRPSSupport, } from '../../utils/ltiPlatformCapabilities.js';
+import { ltiServiceFetch } from '../../utils/ltiServiceFetch.js';
 /**
  * Generates Moodle-specific dynamic registration form HTML with service selection options.
  * Creates a Bootstrap 5 form that detects available LTI Advantage services from the platform
@@ -38,7 +40,7 @@ export function handleMoodleDynamicRegistration(openIdConfiguration, currentPath
         <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.8/dist/css/bootstrap.min.css" rel="stylesheet" integrity="sha384-sRIl4kxILFvY47J16cr9ZwB07vP4J8+LH7qKQnuqkuIAvNWLzeN8tE5YBujZqJLB" crossorigin="anonymous">
       </head>
       <body class="container mt-4">
-        <form method="POST" action="${completeAction}">
+        <form method="POST" action="${escapeHtml(completeAction)}">
           <div class="mb-3">
             <label class="form-label">Available Services</label>
             ${hasAGS
@@ -98,7 +100,7 @@ export function handleMoodleDynamicRegistration(openIdConfiguration, currentPath
             </div>
           </div>
 
-          <input type="hidden" name="sessionToken" value="${sessionToken}">
+          <input type="hidden" name="sessionToken" value="${escapeHtml(sessionToken)}">
 
           <button type="submit" class="btn btn-primary">Register Tool</button>
         </form>
@@ -134,7 +136,7 @@ export async function postRegistrationToMoodle(registrationEndpoint, registratio
     if (registrationToken) {
         headers['Authorization'] = `Bearer ${registrationToken}`;
     }
-    const response = await fetch(registrationEndpoint, {
+    const response = await ltiServiceFetch(registrationEndpoint, {
         method: 'POST',
         headers,
         body: JSON.stringify(registrationPayload),

package/dist/services/nrps.service.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"nrps.service.d.ts","sourceRoot":"","sources":["../../src/services/nrps.service.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,MAAM,CAAC;AAEvC,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AAC9D,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AAG9D,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAEvD;;;;;GAKG;AACH,qBAAa,WAAW;IASpB,OAAO,CAAC,YAAY;IACpB,OAAO,CAAC,OAAO;IACf,OAAO,CAAC,MAAM;IAVhB;;;;;;OAMG;gBAEO,YAAY,EAAE,YAAY,EAC1B,OAAO,EAAE,UAAU,EACnB,MAAM,EAAE,UAAU;IAG5B;;;;;;;;;;;;;;OAcG;IACG,UAAU,CAAC,OAAO,EAAE,UAAU,GAAG,OAAO,CAAC,QAAQ,CAAC;YAsB1C,YAAY;YAeZ,oBAAoB;CAanC"}
+{"version":3,"file":"nrps.service.d.ts","sourceRoot":"","sources":["../../src/services/nrps.service.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,MAAM,CAAC;AAEvC,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AAC9D,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AAI9D,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAEvD;;;;;GAKG;AACH,qBAAa,WAAW;IASpB,OAAO,CAAC,YAAY;IACpB,OAAO,CAAC,OAAO;IACf,OAAO,CAAC,MAAM;IAVhB;;;;;;OAMG;gBAEO,YAAY,EAAE,YAAY,EAC1B,OAAO,EAAE,UAAU,EACnB,MAAM,EAAE,UAAU;IAG5B;;;;;;;;;;;;;;OAcG;IACG,UAAU,CAAC,OAAO,EAAE,UAAU,GAAG,OAAO,CAAC,QAAQ,CAAC;YAsB1C,YAAY;YAeZ,oBAAoB;CAanC"}

package/dist/services/nrps.service.js

@@ -1,4 +1,5 @@
 import { getValidLaunchConfig } from '../utils/launchConfigValidation.js';
+import { ltiServiceFetch } from '../utils/ltiServiceFetch.js';
 /**
  * Names and Role Provisioning Services (NRPS) implementation for LTI 1.3.
  * Provides methods to retrieve course membership and user information from the platform.
@@ -41,7 +42,7 @@ export class NRPSService {
             throw new Error('NRPS not available for this session');
         }
         const token = await this.getNRPSToken(session, 'https://purl.imsglobal.org/spec/lti-nrps/scope/contextmembership.readonly');
-        const response = await fetch(session.services.nrps.membershipUrl, {
+        const response = await ltiServiceFetch(session.services.nrps.membershipUrl, {
             method: 'GET',
             headers: {
                 Authorization: `Bearer ${token}`,

package/dist/services/token.service.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"token.service.d.ts","sourceRoot":"","sources":["../../src/services/token.service.ts"],"names":[],"mappings":"AAEA;;;;;;;;GAQG;AACH,qBAAa,YAAY;IAQrB,OAAO,CAAC,OAAO;IACf,OAAO,CAAC,KAAK;IARf;;;;;OAKG;gBAEO,OAAO,EAAE,aAAa,EACtB,KAAK,SAAS;IAGxB;;;;;;OAMG;IACG,qBAAqB,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAiBhF;;;;;;;;OAQG;IACG,cAAc,CAClB,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,MAAM,EAChB,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,MAAM,CAAC;CA6BnB"}
+{"version":3,"file":"token.service.d.ts","sourceRoot":"","sources":["../../src/services/token.service.ts"],"names":[],"mappings":"AAIA;;;;;;;;GAQG;AACH,qBAAa,YAAY;IAQrB,OAAO,CAAC,OAAO;IACf,OAAO,CAAC,KAAK;IARf;;;;;OAKG;gBAEO,OAAO,EAAE,aAAa,EACtB,KAAK,SAAS;IAGxB;;;;;;OAMG;IACG,qBAAqB,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAiBhF;;;;;;;;OAQG;IACG,cAAc,CAClB,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,MAAM,EAChB,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,MAAM,CAAC;CA6BnB"}

package/dist/services/token.service.js

@@ -1,4 +1,5 @@
 import { SignJWT } from 'jose';
+import { ltiServiceFetch } from '../utils/ltiServiceFetch.js';
 /**
  * Service for handling OAuth2 client credentials flow and JWT client assertions.
  * Used for obtaining bearer tokens to access LTI Advantage services (AGS, NRPS, etc.).
@@ -55,7 +56,7 @@ export class TokenService {
      */
     async getBearerToken(clientId, tokenUrl, scope) {
         const assertion = await this.createClientAssertion(clientId, tokenUrl);
-        const response = await fetch(tokenUrl, {
+        const response = await ltiServiceFetch(tokenUrl, {
             method: 'POST',
             headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
             body: new URLSearchParams({

package/dist/utils/htmlEscaping.d.ts

@@ -0,0 +1,28 @@
+/**
+ * Escapes HTML special characters to prevent XSS attacks when inserting
+ * untrusted content into HTML.
+ *
+ * Converts the following characters to their HTML entity equivalents:
+ * - `&` → `&`
+ * - `<` → `&lt;`
+ * - `>` → `&gt;`
+ * - `"` → `&quot;`
+ * - `'` → `&#39;`
+ *
+ * @param str - The string containing potentially unsafe HTML characters
+ * @returns The escaped string safe for insertion into HTML content or attributes
+ *
+ * @example
+ * ```typescript
+ * escapeHtml('<script>alert("XSS")</script>');
+ * // Returns: '&lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;'
+ *
+ * escapeHtml('Tom & Jerry');
+ * // Returns: 'Tom &amp; Jerry'
+ *
+ * escapeHtml('<div class="foo">');
+ * // Returns: '&lt;div class=&quot;foo&quot;&gt;'
+ * ```
+ */
+export declare function escapeHtml(str: string): string;
+//# sourceMappingURL=htmlEscaping.d.ts.map

package/dist/utils/htmlEscaping.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"htmlEscaping.d.ts","sourceRoot":"","sources":["../../src/utils/htmlEscaping.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,wBAAgB,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAO9C"}

package/dist/utils/htmlEscaping.js

@@ -0,0 +1,34 @@
+/**
+ * Escapes HTML special characters to prevent XSS attacks when inserting
+ * untrusted content into HTML.
+ *
+ * Converts the following characters to their HTML entity equivalents:
+ * - `&` → `&`
+ * - `<` → `&lt;`
+ * - `>` → `&gt;`
+ * - `"` → `&quot;`
+ * - `'` → `&#39;`
+ *
+ * @param str - The string containing potentially unsafe HTML characters
+ * @returns The escaped string safe for insertion into HTML content or attributes
+ *
+ * @example
+ * ```typescript
+ * escapeHtml('<script>alert("XSS")</script>');
+ * // Returns: '&lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;'
+ *
+ * escapeHtml('Tom & Jerry');
+ * // Returns: 'Tom &amp; Jerry'
+ *
+ * escapeHtml('<div class="foo">');
+ * // Returns: '&lt;div class=&quot;foo&quot;&gt;'
+ * ```
+ */
+export function escapeHtml(str) {
+    return str
+        .replace(/&/g, '&amp;')
+        .replace(/</g, '&lt;')
+        .replace(/>/g, '&gt;')
+        .replace(/"/g, '&quot;')
+        .replace(/'/g, '&#39;');
+}

package/dist/utils/ltiServiceFetch.d.ts

@@ -0,0 +1,22 @@
+/**
+ * Wrapper around fetch() that automatically adds User-Agent header for LTI service requests.
+ *
+ * Canvas enforces User-Agent headers on all API requests starting January 2026.
+ * This wrapper ensures compliance while allowing user override if needed.
+ *
+ * @param url - Request URL (string or URL object)
+ * @param init - Fetch options (headers, method, body, etc.)
+ * @returns Promise resolving to Response
+ *
+ * @see https://community.canvaslms.com/t5/Releases-Production/Canvas-Release-Notes-2026-01-17/ta-p/616001
+ *
+ * @example
+ * ```typescript
+ * const response = await ltiServiceFetch('https://api.example.com/scores', {
+ *   method: 'POST',
+ *   headers: { 'Content-Type': 'application/json' },
+ *   body: JSON.stringify({ score: 95 })
+ * });
+ * */
+export declare function ltiServiceFetch(url: string | URL, init?: RequestInit): Promise<Response>;
+//# sourceMappingURL=ltiServiceFetch.d.ts.map

package/dist/utils/ltiServiceFetch.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ltiServiceFetch.d.ts","sourceRoot":"","sources":["../../src/utils/ltiServiceFetch.ts"],"names":[],"mappings":"AAEA;;;;;;;;;;;;;;;;;;;KAmBK;AAEL,wBAAsB,eAAe,CACnC,GAAG,EAAE,MAAM,GAAG,GAAG,EACjB,IAAI,CAAC,EAAE,WAAW,GACjB,OAAO,CAAC,QAAQ,CAAC,CAenB"}

package/dist/utils/ltiServiceFetch.js

@@ -0,0 +1,35 @@
+import * as packageJson from '../../package.json';
+/**
+ * Wrapper around fetch() that automatically adds User-Agent header for LTI service requests.
+ *
+ * Canvas enforces User-Agent headers on all API requests starting January 2026.
+ * This wrapper ensures compliance while allowing user override if needed.
+ *
+ * @param url - Request URL (string or URL object)
+ * @param init - Fetch options (headers, method, body, etc.)
+ * @returns Promise resolving to Response
+ *
+ * @see https://community.canvaslms.com/t5/Releases-Production/Canvas-Release-Notes-2026-01-17/ta-p/616001
+ *
+ * @example
+ * ```typescript
+ * const response = await ltiServiceFetch('https://api.example.com/scores', {
+ *   method: 'POST',
+ *   headers: { 'Content-Type': 'application/json' },
+ *   body: JSON.stringify({ score: 95 })
+ * });
+ * */
+// oxlint-disable-next-line require-await
+export async function ltiServiceFetch(url, init) {
+    // Create Headers object from init.headers (handles all header input types)
+    const headers = new Headers(init?.headers);
+    // Add User-Agent only if not already present (allows override)
+    if (!headers.has('User-Agent')) {
+        headers.set('User-Agent', `lti-tool/${packageJson.version} (https://github.com/lti-tool/lti-tool)`);
+    }
+    // Call fetch with merged headers
+    return fetch(url, {
+        ...init,
+        headers,
+    });
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lti-tool/core",
-  "version": "0.14.1",
+  "version": "1.0.0",
   "description": "LTI 1.3 implementation for Node.js",
   "keywords": [
     "lti",

package/src/services/ags.service.ts

@@ -8,6 +8,7 @@ import type {
 } from '../schemas/lti13/ags/lineItem.schema.js';
 import type { ScoreSubmission } from '../schemas/lti13/ags/scoreSubmission.schema.js';
 import { getValidLaunchConfig } from '../utils/launchConfigValidation.js';
+import { ltiServiceFetch } from '../utils/ltiServiceFetch.js';
 
 import type { TokenService } from './token.service.js';
 
@@ -71,7 +72,7 @@ export class AGSService {
     };
 
     const agsScoreEndpoint = `${session.services.ags.lineitem}/scores`;
-    const response = await fetch(agsScoreEndpoint, {
+    const response = await ltiServiceFetch(agsScoreEndpoint, {
       method: 'POST',
       headers: {
         Authorization: `Bearer ${token}`,
@@ -110,7 +111,7 @@ export class AGSService {
 
     const resultsEndpoint = `${session.services.ags.lineitem}/results`;
 
-    const response = await fetch(resultsEndpoint, {
+    const response = await ltiServiceFetch(resultsEndpoint, {
       method: 'GET',
       headers: {
         Authorization: `Bearer ${token}`,
@@ -146,7 +147,7 @@ export class AGSService {
       'https://purl.imsglobal.org/spec/lti-ags/scope/lineitem.readonly',
     );
 
-    const response = await fetch(`${session.services.ags.lineitems}`, {
+    const response = await ltiServiceFetch(`${session.services.ags.lineitems}`, {
       method: 'GET',
       headers: {
         Authorization: `Bearer ${token}`,
@@ -182,7 +183,7 @@ export class AGSService {
       'https://purl.imsglobal.org/spec/lti-ags/scope/lineitem.readonly',
     );
 
-    const response = await fetch(`${session.services.ags.lineitem}`, {
+    const response = await ltiServiceFetch(`${session.services.ags.lineitem}`, {
       method: 'GET',
       headers: {
         Authorization: `Bearer ${token}`,
@@ -227,7 +228,7 @@ export class AGSService {
       'https://purl.imsglobal.org/spec/lti-ags/scope/lineitem',
     );
 
-    const response = await fetch(`${session.services.ags.lineitems}`, {
+    const response = await ltiServiceFetch(`${session.services.ags.lineitems}`, {
       method: 'POST',
       headers: {
         Authorization: `Bearer ${token}`,
@@ -271,7 +272,7 @@ export class AGSService {
       'https://purl.imsglobal.org/spec/lti-ags/scope/lineitem',
     );
 
-    const response = await fetch(session.services.ags.lineitem, {
+    const response = await ltiServiceFetch(session.services.ags.lineitem, {
       method: 'PUT',
       headers: {
         Authorization: `Bearer ${token}`,
@@ -307,7 +308,7 @@ export class AGSService {
       'https://purl.imsglobal.org/spec/lti-ags/scope/lineitem',
     );
 
-    const response = await fetch(session.services.ags.lineitem, {
+    const response = await ltiServiceFetch(session.services.ags.lineitem, {
       method: 'DELETE',
       headers: {
         Authorization: `Bearer ${token}`,

package/src/services/deepLinking.service.ts

@@ -3,6 +3,7 @@ import type { BaseLogger } from 'pino';
 
 import type { LTISession } from '../interfaces/ltiSession.js';
 import type { DeepLinkingContentItem } from '../schemas/lti13/deepLinking/contentItem.schema.js';
+import { escapeHtml } from '../utils/htmlEscaping.js';
 
 /**
  * Deep Linking service for LTI 1.3.
@@ -116,8 +117,8 @@ export class DeepLinkingService {
   <title>Returning to platform...</title>
 </head>
 <body>
-  <form id="deepLinkingForm" method="POST" action="${returnUrl}">
-    <input type="hidden" name="JWT" value="${jwt}" />
+  <form id="deepLinkingForm" method="POST" action="${escapeHtml(returnUrl)}">
+    <input type="hidden" name="JWT" value="${escapeHtml(jwt)}" />
   </form>
   <script>
     document.getElementById('deepLinkingForm').submit();

package/src/services/dynamicRegistration.service.ts

@@ -12,6 +12,8 @@ import {
 import type { RegistrationRequest } from '../schemas/lti13/dynamicRegistration/registrationRequest.schema.js';
 import type { RegistrationResponse } from '../schemas/lti13/dynamicRegistration/registrationResponse.schema.js';
 import type { ToolRegistrationPayload } from '../schemas/lti13/dynamicRegistration/toolRegistrationPayload.schema.js';
+import { escapeHtml } from '../utils/htmlEscaping.js';
+import { ltiServiceFetch } from '../utils/ltiServiceFetch.js';
 
 import {
   handleMoodleDynamicRegistration,
@@ -88,7 +90,7 @@ export class DynamicRegistrationService {
     registrationRequest: RegistrationRequest,
   ): Promise<OpenIDConfiguration> {
     const { openid_configuration, registration_token } = registrationRequest;
-    const response = await fetch(openid_configuration, {
+    const response = await ltiServiceFetch(openid_configuration, {
       method: 'GET',
       headers: {
         // only include registration token if it was provided
@@ -461,11 +463,11 @@ export class DynamicRegistrationService {
         <div class="card-body">
           <dl class="row">
             <dt class="col-sm-3">Tool Name:</dt>
-            <dd class="col-sm-9">${registrationResponse.client_name}</dd>
+            <dd class="col-sm-9">${escapeHtml(registrationResponse.client_name)}</dd>
             <dt class="col-sm-3">Client ID:</dt>
-            <dd class="col-sm-9"><code>${registrationResponse.client_id}</code></dd>
+            <dd class="col-sm-9"><code>${escapeHtml(registrationResponse.client_id)}</code></dd>
             <dt class="col-sm-3">Deployment ID:</dt>
-            <dd class="col-sm-9"><code>${registrationResponse['https://purl.imsglobal.org/spec/lti-tool-configuration'].deployment_id || 'default'}</code></dd>
+            <dd class="col-sm-9"><code>${escapeHtml(registrationResponse['https://purl.imsglobal.org/spec/lti-tool-configuration'].deployment_id || 'default')}</code></dd>
           </dl>
         </div>
       </div>

package/src/services/dynamicRegistrationHandlers/moodle.ts

@@ -5,12 +5,14 @@ import {
   type OpenIDConfiguration,
   type RegistrationResponse,
 } from '../../schemas';
+import { escapeHtml } from '../../utils/htmlEscaping.js';
 import {
   getAGSScopes,
   hasAGSSupport,
   hasDeepLinkingSupport,
   hasNRPSSupport,
-} from '../../utils/ltiPlatformCapabilities';
+} from '../../utils/ltiPlatformCapabilities.js';
+import { ltiServiceFetch } from '../../utils/ltiServiceFetch.js';
 
 /**
  * Generates Moodle-specific dynamic registration form HTML with service selection options.
@@ -55,7 +57,7 @@ export function handleMoodleDynamicRegistration(
         <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.8/dist/css/bootstrap.min.css" rel="stylesheet" integrity="sha384-sRIl4kxILFvY47J16cr9ZwB07vP4J8+LH7qKQnuqkuIAvNWLzeN8tE5YBujZqJLB" crossorigin="anonymous">
       </head>
       <body class="container mt-4">
-        <form method="POST" action="${completeAction}">
+        <form method="POST" action="${escapeHtml(completeAction)}">
           <div class="mb-3">
             <label class="form-label">Available Services</label>
             ${
@@ -121,7 +123,7 @@ export function handleMoodleDynamicRegistration(
             </div>
           </div>
 
-          <input type="hidden" name="sessionToken" value="${sessionToken}">
+          <input type="hidden" name="sessionToken" value="${escapeHtml(sessionToken)}">
 
           <button type="submit" class="btn btn-primary">Register Tool</button>
         </form>
@@ -164,7 +166,7 @@ export async function postRegistrationToMoodle(
     headers['Authorization'] = `Bearer ${registrationToken}`;
   }
 
-  const response = await fetch(registrationEndpoint, {
+  const response = await ltiServiceFetch(registrationEndpoint, {
     method: 'POST',
     headers,
     body: JSON.stringify(registrationPayload),

package/src/services/nrps.service.ts

@@ -3,6 +3,7 @@ import type { BaseLogger } from 'pino';
 import type { LTISession } from '../interfaces/ltiSession.js';
 import type { LTIStorage } from '../interfaces/ltiStorage.js';
 import { getValidLaunchConfig } from '../utils/launchConfigValidation.js';
+import { ltiServiceFetch } from '../utils/ltiServiceFetch.js';
 
 import type { TokenService } from './token.service.js';
 
@@ -51,7 +52,7 @@ export class NRPSService {
       'https://purl.imsglobal.org/spec/lti-nrps/scope/contextmembership.readonly',
     );
 
-    const response = await fetch(session.services.nrps.membershipUrl, {
+    const response = await ltiServiceFetch(session.services.nrps.membershipUrl, {
       method: 'GET',
       headers: {
         Authorization: `Bearer ${token}`,

package/src/services/token.service.ts

@@ -1,5 +1,7 @@
 import { SignJWT } from 'jose';
 
+import { ltiServiceFetch } from '../utils/ltiServiceFetch.js';
+
 /**
  * Service for handling OAuth2 client credentials flow and JWT client assertions.
  * Used for obtaining bearer tokens to access LTI Advantage services (AGS, NRPS, etc.).
@@ -61,7 +63,7 @@ export class TokenService {
   ): Promise<string> {
     const assertion = await this.createClientAssertion(clientId, tokenUrl);
 
-    const response = await fetch(tokenUrl, {
+    const response = await ltiServiceFetch(tokenUrl, {
       method: 'POST',
       headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
       body: new URLSearchParams({

package/src/utils/htmlEscaping.ts

@@ -0,0 +1,34 @@
+/**
+ * Escapes HTML special characters to prevent XSS attacks when inserting
+ * untrusted content into HTML.
+ *
+ * Converts the following characters to their HTML entity equivalents:
+ * - `&` → `&`
+ * - `<` → `&lt;`
+ * - `>` → `&gt;`
+ * - `"` → `&quot;`
+ * - `'` → `&#39;`
+ *
+ * @param str - The string containing potentially unsafe HTML characters
+ * @returns The escaped string safe for insertion into HTML content or attributes
+ *
+ * @example
+ * ```typescript
+ * escapeHtml('<script>alert("XSS")</script>');
+ * // Returns: '&lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;'
+ *
+ * escapeHtml('Tom & Jerry');
+ * // Returns: 'Tom &amp; Jerry'
+ *
+ * escapeHtml('<div class="foo">');
+ * // Returns: '&lt;div class=&quot;foo&quot;&gt;'
+ * ```
+ */
+export function escapeHtml(str: string): string {
+  return str
+    .replace(/&/g, '&amp;')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;')
+    .replace(/"/g, '&quot;')
+    .replace(/'/g, '&#39;');
+}

package/src/utils/ltiServiceFetch.ts

@@ -0,0 +1,42 @@
+import * as packageJson from '../../package.json';
+
+/**
+ * Wrapper around fetch() that automatically adds User-Agent header for LTI service requests.
+ *
+ * Canvas enforces User-Agent headers on all API requests starting January 2026.
+ * This wrapper ensures compliance while allowing user override if needed.
+ *
+ * @param url - Request URL (string or URL object)
+ * @param init - Fetch options (headers, method, body, etc.)
+ * @returns Promise resolving to Response
+ *
+ * @see https://community.canvaslms.com/t5/Releases-Production/Canvas-Release-Notes-2026-01-17/ta-p/616001
+ *
+ * @example
+ * ```typescript
+ * const response = await ltiServiceFetch('https://api.example.com/scores', {
+ *   method: 'POST',
+ *   headers: { 'Content-Type': 'application/json' },
+ *   body: JSON.stringify({ score: 95 })
+ * });
+ * */
+// oxlint-disable-next-line require-await
+export async function ltiServiceFetch(
+  url: string | URL,
+  init?: RequestInit,
+): Promise<Response> {
+  // Create Headers object from init.headers (handles all header input types)
+  const headers = new Headers(init?.headers);
+  // Add User-Agent only if not already present (allows override)
+  if (!headers.has('User-Agent')) {
+    headers.set(
+      'User-Agent',
+      `lti-tool/${packageJson.version} (https://github.com/lti-tool/lti-tool)`,
+    );
+  }
+  // Call fetch with merged headers
+  return fetch(url, {
+    ...init,
+    headers,
+  });
+}