--- loncom/interface/lonexturlcheck.pm	2019/05/02 02:12:19	1.1
+++ loncom/interface/lonexturlcheck.pm	2020/02/15 03:54:43	1.4
@@ -1,7 +1,7 @@
 # The LearningOnline Network with CAPA
 # Handler to check if external resource can be shown in iframe
 #
-# $Id: lonexturlcheck.pm,v 1.1 2019/05/02 02:12:19 raeburn Exp $
+# $Id: lonexturlcheck.pm,v 1.4 2020/02/15 03:54:43 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -41,10 +41,10 @@ Called in course context by course perso
 privilege or with view-only access to course editing tools.
 
 Query string contains one item: name=exturl, value=URL of external resource
-(format: http://hostname/path or https://hostname/path). 
+(format: http://hostname/path or https://hostname/path).
  
 The resource URL is sent to &loncommon::is_nonframeable() to check whether
-it can be displayed in an iframe in a page served by the current host. 
+it can be displayed in an iframe in a page served by the current host.
 
 =head1 OVERVIEW
 
@@ -53,18 +53,18 @@ Input: external resource URL (from query
 Hostname, lonHostID, and IP address for this node are retrieved from Apache.
 
 Dependencies: calls &loncommon::is_nonframeable() to check if server where
-external resource is hosted is configured with a Content-Security-Policy or 
+external resource is hosted is configured with a Content-Security-Policy or
 with X-Frame-options settings which prohibit display of the resource within
-an iframe in a LON-CAPA page served from this node. 
+an iframe in a LON-CAPA page served from this node.
 
 Output to print buffer: (content-type: text/plain):  1, 0, -1 or empty string.
 '' -- display in iframe is allowed
-1  -- display in iframe not allowed 
+1  -- display in iframe not allowed
 0  -- invalid URL
--1 -- could not verify course editing privilege or view-only access to 
+-1 -- could not verify course editing privilege or view-only access to
       course editing tools
 
-HTTP Return codes: 
+HTTP Return codes:
 406 -- if user is not in a course
 200 -- otherwise
 
@@ -76,7 +76,6 @@ use strict;
 use Apache::Constants qw(:common :http);
 use Apache::lonnet;
 use Apache::loncommon;
-use LONCAPA::LWPReq;
 use HTTP::Request;
 
 sub handler {
@@ -98,11 +97,12 @@ sub handler {
         ((&Apache::lonnet::allowed('mdc',$env{'request.course.id'})) ||
          (&Apache::lonnet::allowed('cev',$env{'request.course.id'})))) {
         &Apache::loncommon::get_unprocessed_cgi($ENV{'QUERY_STRING'},['exturl']);
-        if ($env{'form.exturl'} =~ m{^https?\://[^/]+}) {
+        $env{'form.exturl'} =~ s/^\s+|\s+$//g;
+        if ($env{'form.exturl'} =~ m{^https?\://([a-z0-9]+(-[a-z0-9]+)*\.)+[a-z]{2,}}i) {
             my $hostname = $r->hostname();
             my $lonhost = $r->dir_config('lonHostID');
             my $ip = &Apache::lonnet::get_host_ip($lonhost);
-            $r->print(&Apache::loncommon::is_nonframeable($env{'form.exturl'},'',$hostname,$ip));
+            $r->print(&Apache::loncommon::is_nonframeable($env{'form.exturl'},'',$hostname,$ip,1));
         } else {
             $r->print(0);
         }