Fix URL validation see BT#10217

main/newscorm/learnpath.class.php

@@ -10354,8 +10354,24 @@ EOD;
      *
      * @return string
      */
-    public function checkXFrameOptions($src)
+    public function fixBlockedLinks($src)
     {
+        $urlInfo = parse_url($src);
+        //$platformProtocol = api_get_protocol();
+
+        $platformProtocol = 'https';
+        if (strpos(api_get_path(WEB_CODE_PATH), 'https') === false) {
+            $platformProtocol = 'http';
+        }
+
+        $protocolFixApplied = false;
+        if ($platformProtocol != $urlInfo['scheme']) {
+            $_SESSION['x_frame_source'] = $src;
+            $src = 'blank.php?error=x_frames_options';
+            $protocolFixApplied = true;
+        }
+
+        if ($protocolFixApplied == false) {
             if (strpos($src, api_get_path(WEB_CODE_PATH)) === false) {
                 // Check X-Frame-Options
                 $ch = curl_init();
@@ -10388,6 +10404,7 @@ EOD;
                     $src = 'blank.php?error=x_frames_options';
                 }
             }
+        }
 
         return $src;
     }

main/newscorm/lp_content.php

@@ -57,7 +57,7 @@ if ($dokeos_chapter) {
                 $src = 'blank.php?error=prerequisites';
             }
 
-            $src = $_SESSION['oLP']->checkXFrameOptions($src);
+            $src = $_SESSION['oLP']->fixBlockedLinks($src);
             break;
         case 2:
             $_SESSION['oLP']->stop_previous_item();

main/newscorm/lp_view.php

@@ -169,7 +169,7 @@ if (!isset($src)) {
                     $src = api_get_path(WEB_CODE_PATH).'newscorm/lp_view_item.php?lp_item_id='.$lp_item_id.'&'.api_get_cidreq();
                 }
 
-                $src = $_SESSION['oLP']->checkXFrameOptions($src);
+                $src = $_SESSION['oLP']->fixBlockedLinks($src);
 
                 $_SESSION['oLP']->start_current_item(); // starts time counter manually if asset
             } else {