mirror of
https://github.com/advplyr/audiobookshelf.git
synced 2026-07-05 20:41:57 +02:00
Update playlist create/update endpoint to strip all html tags
This commit is contained in:
@@ -2,6 +2,7 @@ const { Request, Response, NextFunction } = require('express')
|
|||||||
const Logger = require('../Logger')
|
const Logger = require('../Logger')
|
||||||
const SocketAuthority = require('../SocketAuthority')
|
const SocketAuthority = require('../SocketAuthority')
|
||||||
const Database = require('../Database')
|
const Database = require('../Database')
|
||||||
|
const htmlSanitizer = require('../utils/htmlSanitizer')
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @typedef RequestUserObject
|
* @typedef RequestUserObject
|
||||||
@@ -29,7 +30,8 @@ class PlaylistController {
|
|||||||
const reqBody = req.body || {}
|
const reqBody = req.body || {}
|
||||||
|
|
||||||
// Validation
|
// Validation
|
||||||
if (!reqBody.name || !reqBody.libraryId) {
|
const nameCleaned = htmlSanitizer.stripAllTags(reqBody.name)
|
||||||
|
if (!nameCleaned || !reqBody.libraryId) {
|
||||||
return res.status(400).send('Invalid playlist data')
|
return res.status(400).send('Invalid playlist data')
|
||||||
}
|
}
|
||||||
if (reqBody.description && typeof reqBody.description !== 'string') {
|
if (reqBody.description && typeof reqBody.description !== 'string') {
|
||||||
@@ -84,7 +86,7 @@ class PlaylistController {
|
|||||||
{
|
{
|
||||||
libraryId: reqBody.libraryId,
|
libraryId: reqBody.libraryId,
|
||||||
userId: req.user.id,
|
userId: req.user.id,
|
||||||
name: reqBody.name,
|
name: nameCleaned,
|
||||||
description: reqBody.description || null
|
description: reqBody.description || null
|
||||||
},
|
},
|
||||||
{ transaction }
|
{ transaction }
|
||||||
@@ -174,7 +176,11 @@ class PlaylistController {
|
|||||||
}
|
}
|
||||||
|
|
||||||
const playlistUpdatePayload = {}
|
const playlistUpdatePayload = {}
|
||||||
if (reqBody.name) playlistUpdatePayload.name = reqBody.name
|
|
||||||
|
const nameCleaned = htmlSanitizer.stripAllTags(reqBody.name)
|
||||||
|
if (nameCleaned) {
|
||||||
|
playlistUpdatePayload.name = nameCleaned
|
||||||
|
}
|
||||||
if (reqBody.description) playlistUpdatePayload.description = reqBody.description
|
if (reqBody.description) playlistUpdatePayload.description = reqBody.description
|
||||||
|
|
||||||
// Update name and description
|
// Update name and description
|
||||||
|
|||||||
Reference in New Issue
Block a user