starred/audiobookshelf
1
0
Fork 0
mirror of https://github.com/advplyr/audiobookshelf.git synced 2026-05-30 23:40:40 +02:00
Code Issues 1.0k Packages Projects Releases 10 Wiki Activity

Update collection create/update endpoints to strip html tags from collection name

Browse Source
This commit is contained in:
advplyr
2026-03-19 16:53:21 -05:00
parent efe2a22674
commit 9821c31f8e
2 changed files with 12 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
client/components/modals/collections/AddCreateModal.vue
+1 -1
View File
@@ -227,7 +227,7 @@ export default {
.catch((error) => { .catch((error) => {
console.error('Failed to create collection', error) console.error('Failed to create collection', error)
var errMsg = error.response ? error.response.data || '' : '' var errMsg = error.response ? error.response.data || '' : ''
this.$toast.error(this.$strings.ToastCollectionCreateFailed + ': ' + errMsg) this.$toast.error(errMsg)
this.processing = false this.processing = false
}) })
} }
server/controllers/CollectionController.js
+11 -5
View File
@@ -3,6 +3,7 @@ const Sequelize = require('sequelize')
const Logger = require('../Logger') const Logger = require('../Logger')
const SocketAuthority = require('../SocketAuthority') const SocketAuthority = require('../SocketAuthority')
const Database = require('../Database') const Database = require('../Database')
const htmlSanitizer = require('../utils/htmlSanitizer')
const RssFeedManager = require('../managers/RssFeedManager') const RssFeedManager = require('../managers/RssFeedManager')
@@ -31,8 +32,10 @@ class CollectionController {
async create(req, res) { async create(req, res) {
const reqBody = req.body || {} const reqBody = req.body || {}
const nameCleaned = htmlSanitizer.stripAllTags(reqBody.name)
// Validation // Validation
if (!reqBody.name || !reqBody.libraryId) { if (!nameCleaned || !reqBody.libraryId) {
return res.status(400).send('Invalid collection data') return res.status(400).send('Invalid collection data')
} }
if (reqBody.description && typeof reqBody.description !== 'string') { if (reqBody.description && typeof reqBody.description !== 'string') {
@@ -65,7 +68,7 @@ class CollectionController {
newCollection = await Database.collectionModel.create( newCollection = await Database.collectionModel.create(
{ {
libraryId: reqBody.libraryId, libraryId: reqBody.libraryId,
name: reqBody.name, name: nameCleaned,
description: reqBody.description || null description: reqBody.description || null
}, },
{ transaction } { transaction }
@@ -145,9 +148,12 @@ class CollectionController {
collectionUpdatePayload.description = req.body.description collectionUpdatePayload.description = req.body.description
wasUpdated = true wasUpdated = true
} }
if (req.body.name !== undefined && req.body.name !== req.collection.name) { if (req.body.name !== undefined && typeof req.body.name === 'string') {
collectionUpdatePayload.name = req.body.name const nameCleaned = htmlSanitizer.stripAllTags(req.body.name)
wasUpdated = true if (nameCleaned !== req.collection.name) {
collectionUpdatePayload.name = nameCleaned
wasUpdated = true
}
} }
if (wasUpdated) { if (wasUpdated) {