Update server settings authLoginCustomMessage to sanitize on save and load

2026-03-18 05:49:42 +00:00 · 2026-03-11 17:18:05 -05:00 · 2026-03-11 17:18:05 -05:00 · 972193b193
commit 972193b193
parent 690a7e0da9
2 changed files with 7 additions and 4 deletions
--- a/server/objects/settings/ServerSettings.js
+++ b/server/objects/settings/ServerSettings.js
@ -3,6 +3,7 @@ const packageJson = require('../../../package.json')
 const { BookshelfView } = require('../../utils/constants')
 const Logger = require('../../Logger')
 const User = require('../../models/User')
+const { sanitize } = require('../../utils/htmlSanitizer')

 class ServerSettings {
  constructor(settings) {
@ -126,7 +127,7 @@ class ServerSettings {
    this.version = settings.version || null
    this.buildNumber = settings.buildNumber || 0 // Added v2.4.5

-    this.authLoginCustomMessage = settings.authLoginCustomMessage || null // Added v2.8.0
+    this.authLoginCustomMessage = sanitize(settings.authLoginCustomMessage) || null // Added v2.8.0
    this.authActiveAuthMethods = settings.authActiveAuthMethods || ['local']

    this.authOpenIDIssuerURL = settings.authOpenIDIssuerURL || null
@ -309,7 +310,7 @@ class ServerSettings {

  get authFormData() {
    const clientFormData = {
-      authLoginCustomMessage: this.authLoginCustomMessage
+      authLoginCustomMessage: sanitize(this.authLoginCustomMessage)
    }
    if (this.authActiveAuthMethods.includes('openid')) {
      clientFormData.authOpenIDButtonText = this.authOpenIDButtonText
@ -327,6 +328,9 @@ class ServerSettings {
  update(payload) {
    let hasUpdates = false
    for (const key in payload) {
+      if (key === 'authLoginCustomMessage') {
+        payload[key] = sanitize(payload[key])
+      }
      if (key === 'sortingPrefixes') {
        // Sorting prefixes are updated with the /api/sorting-prefixes endpoint
        continue