From 972193b19352752966f5afbbbb1e264868ff78d9 Mon Sep 17 00:00:00 2001
From: advplyr <advplyr@protonmail.com>
Date: Wed, 11 Mar 2026 17:18:05 -0500
Subject: [PATCH] Update server settings authLoginCustomMessage to sanitize on
 save and load

---
 server/objects/settings/ServerSettings.js | 8 ++++++--
 server/utils/htmlSanitizer.js             | 3 +--
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/server/objects/settings/ServerSettings.js b/server/objects/settings/ServerSettings.js
index a03e17c75..99f5b76aa 100644
--- a/server/objects/settings/ServerSettings.js
+++ b/server/objects/settings/ServerSettings.js
@@ -3,6 +3,7 @@ const packageJson = require('../../../package.json')
 const { BookshelfView } = require('../../utils/constants')
 const Logger = require('../../Logger')
 const User = require('../../models/User')
+const { sanitize } = require('../../utils/htmlSanitizer')
 
 class ServerSettings {
   constructor(settings) {
@@ -126,7 +127,7 @@ class ServerSettings {
     this.version = settings.version || null
     this.buildNumber = settings.buildNumber || 0 // Added v2.4.5
 
-    this.authLoginCustomMessage = settings.authLoginCustomMessage || null // Added v2.8.0
+    this.authLoginCustomMessage = sanitize(settings.authLoginCustomMessage) || null // Added v2.8.0
     this.authActiveAuthMethods = settings.authActiveAuthMethods || ['local']
 
     this.authOpenIDIssuerURL = settings.authOpenIDIssuerURL || null
@@ -309,7 +310,7 @@ class ServerSettings {
 
   get authFormData() {
     const clientFormData = {
-      authLoginCustomMessage: this.authLoginCustomMessage
+      authLoginCustomMessage: sanitize(this.authLoginCustomMessage)
     }
     if (this.authActiveAuthMethods.includes('openid')) {
       clientFormData.authOpenIDButtonText = this.authOpenIDButtonText
@@ -327,6 +328,9 @@ class ServerSettings {
   update(payload) {
     let hasUpdates = false
     for (const key in payload) {
+      if (key === 'authLoginCustomMessage') {
+        payload[key] = sanitize(payload[key])
+      }
       if (key === 'sortingPrefixes') {
         // Sorting prefixes are updated with the /api/sorting-prefixes endpoint
         continue
diff --git a/server/utils/htmlSanitizer.js b/server/utils/htmlSanitizer.js
index dbac1e5e0..be839b7c2 100644
--- a/server/utils/htmlSanitizer.js
+++ b/server/utils/htmlSanitizer.js
@@ -5,11 +5,10 @@ const { entities } = require('./htmlEntities')
  *
  * @param {string} html
  * @returns {string}
- * @throws {Error} if input is not a string
  */
 function sanitize(html) {
   if (typeof html !== 'string') {
-    throw new Error('sanitizeHtml: input must be a string')
+    return ''
   }
 
   const sanitizerOptions = {