--- loncom/interface/lonsyllabus.pm	2020/01/20 17:21:08	1.138.2.5.2.2
+++ loncom/interface/lonsyllabus.pm	2022/10/29 14:47:00	1.153
@@ -1,7 +1,7 @@
 # The LearningOnline Network
 # Syllabus
 #
-# $Id: lonsyllabus.pm,v 1.138.2.5.2.2 2020/01/20 17:21:08 raeburn Exp $
+# $Id: lonsyllabus.pm,v 1.153 2022/10/29 14:47:00 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -170,6 +170,7 @@ sub handler {
                 } else {
                     my $brcrum;
                     if ($env{'form.folderpath'} =~ /^supplemental/) {
+                        &Apache::loncommon::validate_folderpath(1,'',$cnum,$cdom);
                         my $title = $env{'form.title'};
                         if ($title eq '') {
                             $title = &mt('Syllabus');
@@ -187,7 +188,8 @@ sub handler {
         unless ($allowed && $forceedit) {
             if (($env{'user.name'} eq 'public') && ($env{'user.domain'} eq 'public') &&
                 ($ENV{'SERVER_PORT'} == 443) && ($external =~ m{^http://}) && !($env{'form.usehttp'})) {
-                unless (&Apache::lonnet::uses_sts()) {
+                my $hostname = $r->hostname();
+                unless ((&Apache::lonnet::uses_sts()) || (&Apache::lonnet::waf_allssl($hostname))) {
                     &redirect_to_http($r);
                     return OK;
                 }
@@ -204,10 +206,12 @@ sub handler {
                     $is_pdf = 1;
                 }
                 if ($env{'form.folderpath'} =~ /^supplemental/) {
+                    &Apache::loncommon::validate_folderpath(1,'',$cnum,$cdom);
                     my $title = $env{'form.title'};
                     if ($title eq '') {
                         $title = &mt('Syllabus');
                     }
+                    $title = &HTML::Entities::encode($title,'\'"<>&');
                     $brcrum =
                         &Apache::lonhtmlcommon::docs_breadcrumbs(undef,$crstype,undef,$title,1);
                 }
@@ -313,10 +317,8 @@ sub handler {
     if ($allowed) {
 #---------------------------------- Print External URL Syllabus Info if editing
         if ($target ne 'tex') {
-            my $hostname = &Apache::lonnet::hostname($homeserver);
-            my $protocol = $Apache::lonnet::protocol{$homeserver};
-            $protocol = 'http' if ($protocol ne 'https');
-            my $link = $protocol.'://'.$hostname.$r->uri;
+            my $link = &Apache::lonnet::url_prefix($r,$cdom,$homeserver,'web').
+                       $r->uri;
             $r->print('<div class="LC_left_float">'
                      .'<span class="LC_help_open_topic LC_info">'
                      .'<span class="LC_info">'
@@ -325,7 +327,7 @@ sub handler {
                      .'</span>'
                      .'</div><div style="padding:0;clear:both;margin:0;border:0"></div>'."\n");
             my $lonhost = $r->dir_config('lonHostID');
-            $r->print(&chooser($external,$uploaded,$minimal,$cdom,$cnum,$lonhost,
+            $r->print(&chooser($r,$external,$uploaded,$minimal,$cdom,$cnum,$lonhost,
                                \%syllabusfields,\%syllabus));
         }
     } else {
@@ -764,6 +766,7 @@ sub get_breadcrumbs{
     my ($cdom,$cnum,$crstype,$args) = @_;
     return unless (ref($args) eq 'HASH');
     if ($env{'form.folderpath'} =~ /^supplemental/) {
+        &Apache::loncommon::validate_folderpath(1,'',$cnum,$cdom);
         my $title = $env{'form.title'};
         if ($title eq '') {
             $title = &mt('Syllabus');
@@ -788,7 +791,7 @@ sub get_breadcrumbs{
 }
 
 sub chooser {
-    my ($external,$uploaded,$minimal,$cdom,$cnum,$lonhost,$fields,$values) = @_;
+    my ($r,$external,$uploaded,$minimal,$cdom,$cnum,$lonhost,$fields,$values) = @_;
     my %lt = &Apache::lonlocal::texthash(
                  'type'          => 'Syllabus Type',
                  'url'           => 'External URL',
@@ -853,7 +856,7 @@ sub chooser {
                '<div id="minimal" class="LC_left_float" style="display: '.$display{'minimal'}.'">'."\n".
                '<fieldset><legend>'.$lt{'minimal'}.'</legend>';
     if ($minimal) {
-        my ($absurl,$filename,$depbutton) = &syllabus_file_info($minimal,$cnum,$cdom,$lonhost,'minimal');
+        my ($absurl,$filename,$depbutton) = &syllabus_file_info($r,$minimal,$cnum,$cdom,$lonhost,'minimal');
         $output .= '<a href="javascript:extUrlPreview('."'currminimal'".');">'.$lt{'pr'}.'</a>'.
                    '<input type="hidden" name="minimalfile" value="'.&HTML::Entities::encode($absurl).'?inhibitmenu=yes" id="currminimal" />'.
                    $depbutton;
@@ -866,7 +869,7 @@ sub chooser {
                '<div id="file" class="LC_left_float" style="display: '.$display{'file'}.'">'."\n".
                '<fieldset><legend>'.$lt{'file'}.'</legend>';
     if ($uploaded) {
-        my ($absurl,$filename,$depbutton) = &syllabus_file_info($uploaded,$cnum,$cdom,$lonhost,'file');
+        my ($absurl,$filename,$depbutton) = &syllabus_file_info($r,$uploaded,$cnum,$cdom,$lonhost,'file');
         $output .= '<span class="LC_nobreak">'.$lt{'curr'}.'&nbsp;'.
                    '<input type="hidden" name="uploadedfile" value="'.&HTML::Entities::encode($absurl).'?inhibitmenu=yes" id="currfile" />'.
                    '<a href="javascript:extUrlPreview('."'currfile'".');">'.$filename.'</a></span>'.$depbutton.
@@ -901,10 +904,12 @@ sub chooser {
 }
 
 sub syllabus_file_info {
-    my ($item,$cnum,$cdom,$lonhost,$context) = @_;
+    my ($r,$item,$cnum,$cdom,$lonhost,$context) = @_;
     my $hostname = &Apache::lonnet::hostname($lonhost);
     my $protocol = $Apache::lonnet::protocol{$lonhost};
     $protocol = 'http' if ($protocol ne 'https');
+    my $alias = &Apache::lonnet::use_proxy_alias($r,$lonhost);
+    $hostname = $alias if ($alias ne '');
     my $absurl = $protocol.'://'.$hostname.$item;
     my ($filename) = ($item =~ m{([^/]+)$});
     my $file=&Apache::lonnet::filelocation("",$item);
@@ -1315,8 +1320,8 @@ sub save_changes {
                               &mt('An error occurred storing the external URL: [_1]',$putres).
                               '</div>';
                 }
-                $is_ext = $external;
             }
+            $is_ext = $external;
         } else {
             $output = '<div class="LC_error">'.
                       &mt('External URL not saved -- invalid URL.').