Update server settings authLoginCustomMessage to sanitize on save and load

server/objects/settings/ServerSettings.js

@@ -3,6 +3,7 @@ const packageJson = require('../../../package.json')
 const { BookshelfView } = require('../../utils/constants')
 const Logger = require('../../Logger')
 const User = require('../../models/User')
+const { sanitize } = require('../../utils/htmlSanitizer')
 
 class ServerSettings {
   constructor(settings) {
@@ -126,7 +127,7 @@ class ServerSettings {
     this.version = settings.version || null
     this.buildNumber = settings.buildNumber || 0 // Added v2.4.5
 
-    this.authLoginCustomMessage = settings.authLoginCustomMessage || null // Added v2.8.0
+    this.authLoginCustomMessage = sanitize(settings.authLoginCustomMessage) || null // Added v2.8.0
     this.authActiveAuthMethods = settings.authActiveAuthMethods || ['local']
 
     this.authOpenIDIssuerURL = settings.authOpenIDIssuerURL || null
@@ -309,7 +310,7 @@ class ServerSettings {
 
   get authFormData() {
     const clientFormData = {
-      authLoginCustomMessage: this.authLoginCustomMessage
+      authLoginCustomMessage: sanitize(this.authLoginCustomMessage)
     }
     if (this.authActiveAuthMethods.includes('openid')) {
       clientFormData.authOpenIDButtonText = this.authOpenIDButtonText
@@ -327,6 +328,9 @@ class ServerSettings {
   update(payload) {
     let hasUpdates = false
     for (const key in payload) {
+      if (key === 'authLoginCustomMessage') {
+        payload[key] = sanitize(payload[key])
+      }
       if (key === 'sortingPrefixes') {
         // Sorting prefixes are updated with the /api/sorting-prefixes endpoint
         continue

server/utils/htmlSanitizer.js

@@ -5,11 +5,10 @@ const { entities } = require('./htmlEntities')
  *
  * @param {string} html
  * @returns {string}
- * @throws {Error} if input is not a string
  */
 function sanitize(html) {
   if (typeof html !== 'string') {
-    throw new Error('sanitizeHtml: input must be a string')
+    return ''
   }
 
   const sanitizerOptions = {