From 4bdd76d94c450f2de329379cecf4a672dbd23a9d Mon Sep 17 00:00:00 2001
From: advplyr <advplyr@protonmail.com>
Date: Wed, 18 Mar 2026 17:01:19 -0500
Subject: [PATCH] Update podcast episode update endpoint to sanitize subtitle

---
 server/controllers/PodcastController.js | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/server/controllers/PodcastController.js b/server/controllers/PodcastController.js
index 1ebe1d110..c70287600 100644
--- a/server/controllers/PodcastController.js
+++ b/server/controllers/PodcastController.js
@@ -412,6 +412,12 @@ class PodcastController {
             Logger.debug(`[PodcastController] Sanitized description from "${req.body[key]}" to "${sanitizedDescription}"`)
             req.body[key] = sanitizedDescription
           }
+        } else if (key === 'subtitle' && req.body[key]) {
+          const sanitizedSubtitle = htmlSanitizer.sanitize(req.body[key])
+          if (sanitizedSubtitle !== req.body[key]) {
+            Logger.debug(`[PodcastController] Sanitized subtitle from "${req.body[key]}" to "${sanitizedSubtitle}"`)
+            req.body[key] = sanitizedSubtitle
+          }
         }
 
         updatePayload[key] = req.body[key]