mirror of
https://github.com/advplyr/audiobookshelf.git
synced 2026-07-04 00:11:40 +00:00
Update playlist create/update endpoint to strip all html tags
This commit is contained in:
parent
9821c31f8e
commit
3faa6f3e7d
1 changed files with 9 additions and 3 deletions
|
|
@ -2,6 +2,7 @@ const { Request, Response, NextFunction } = require('express')
|
||||||
const Logger = require('../Logger')
|
const Logger = require('../Logger')
|
||||||
const SocketAuthority = require('../SocketAuthority')
|
const SocketAuthority = require('../SocketAuthority')
|
||||||
const Database = require('../Database')
|
const Database = require('../Database')
|
||||||
|
const htmlSanitizer = require('../utils/htmlSanitizer')
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @typedef RequestUserObject
|
* @typedef RequestUserObject
|
||||||
|
|
@ -29,7 +30,8 @@ class PlaylistController {
|
||||||
const reqBody = req.body || {}
|
const reqBody = req.body || {}
|
||||||
|
|
||||||
// Validation
|
// Validation
|
||||||
if (!reqBody.name || !reqBody.libraryId) {
|
const nameCleaned = htmlSanitizer.stripAllTags(reqBody.name)
|
||||||
|
if (!nameCleaned || !reqBody.libraryId) {
|
||||||
return res.status(400).send('Invalid playlist data')
|
return res.status(400).send('Invalid playlist data')
|
||||||
}
|
}
|
||||||
if (reqBody.description && typeof reqBody.description !== 'string') {
|
if (reqBody.description && typeof reqBody.description !== 'string') {
|
||||||
|
|
@ -84,7 +86,7 @@ class PlaylistController {
|
||||||
{
|
{
|
||||||
libraryId: reqBody.libraryId,
|
libraryId: reqBody.libraryId,
|
||||||
userId: req.user.id,
|
userId: req.user.id,
|
||||||
name: reqBody.name,
|
name: nameCleaned,
|
||||||
description: reqBody.description || null
|
description: reqBody.description || null
|
||||||
},
|
},
|
||||||
{ transaction }
|
{ transaction }
|
||||||
|
|
@ -174,7 +176,11 @@ class PlaylistController {
|
||||||
}
|
}
|
||||||
|
|
||||||
const playlistUpdatePayload = {}
|
const playlistUpdatePayload = {}
|
||||||
if (reqBody.name) playlistUpdatePayload.name = reqBody.name
|
|
||||||
|
const nameCleaned = htmlSanitizer.stripAllTags(reqBody.name)
|
||||||
|
if (nameCleaned) {
|
||||||
|
playlistUpdatePayload.name = nameCleaned
|
||||||
|
}
|
||||||
if (reqBody.description) playlistUpdatePayload.description = reqBody.description
|
if (reqBody.description) playlistUpdatePayload.description = reqBody.description
|
||||||
|
|
||||||
// Update name and description
|
// Update name and description
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue