From 3faa6f3e7d1ad52101a9355fa07efd26f13ea60d Mon Sep 17 00:00:00 2001
From: advplyr <advplyr@protonmail.com>
Date: Thu, 19 Mar 2026 16:57:22 -0500
Subject: [PATCH] Update playlist create/update endpoint to strip all html tags

---
 server/controllers/PlaylistController.js | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/server/controllers/PlaylistController.js b/server/controllers/PlaylistController.js
index 972c352a4..bc1a7a455 100644
--- a/server/controllers/PlaylistController.js
+++ b/server/controllers/PlaylistController.js
@@ -2,6 +2,7 @@ const { Request, Response, NextFunction } = require('express')
 const Logger = require('../Logger')
 const SocketAuthority = require('../SocketAuthority')
 const Database = require('../Database')
+const htmlSanitizer = require('../utils/htmlSanitizer')
 
 /**
  * @typedef RequestUserObject
@@ -29,7 +30,8 @@ class PlaylistController {
     const reqBody = req.body || {}
 
     // Validation
-    if (!reqBody.name || !reqBody.libraryId) {
+    const nameCleaned = htmlSanitizer.stripAllTags(reqBody.name)
+    if (!nameCleaned || !reqBody.libraryId) {
       return res.status(400).send('Invalid playlist data')
     }
     if (reqBody.description && typeof reqBody.description !== 'string') {
@@ -84,7 +86,7 @@ class PlaylistController {
         {
           libraryId: reqBody.libraryId,
           userId: req.user.id,
-          name: reqBody.name,
+          name: nameCleaned,
           description: reqBody.description || null
         },
         { transaction }
@@ -174,7 +176,11 @@ class PlaylistController {
     }
 
     const playlistUpdatePayload = {}
-    if (reqBody.name) playlistUpdatePayload.name = reqBody.name
+
+    const nameCleaned = htmlSanitizer.stripAllTags(reqBody.name)
+    if (nameCleaned) {
+      playlistUpdatePayload.name = nameCleaned
+    }
     if (reqBody.description) playlistUpdatePayload.description = reqBody.description
 
     // Update name and description