Merge branch 'advplyr:master' into auto-generate-chapters-from-timestamps

2026-05-16 16:31:30 +00:00 · 2026-03-20 17:25:04 +00:00 · 2026-03-20 17:25:04 +00:00 · cbbe85c35e
commit cbbe85c35e
parent 7f88d4b036 8b89b27654
19 changed files with 220 additions and 149 deletions
--- a/server/auth/TokenManager.js
+++ b/server/auth/TokenManager.js
@ -234,6 +234,13 @@ class TokenManager {
      }

      const user = await Database.userModel.getUserById(apiKey.userId)
+
+      if (!user?.isActive) {
+        // deny login
+        done(null, null)
+        return
+      }
+
      done(null, user)
    } else {
      // JWT based authentication
--- a/server/controllers/CollectionController.js
+++ b/server/controllers/CollectionController.js
@ -3,6 +3,7 @@ const Sequelize = require('sequelize')
 const Logger = require('../Logger')
 const SocketAuthority = require('../SocketAuthority')
 const Database = require('../Database')
+const htmlSanitizer = require('../utils/htmlSanitizer')

 const RssFeedManager = require('../managers/RssFeedManager')

@ -31,8 +32,10 @@ class CollectionController {
  async create(req, res) {
    const reqBody = req.body || {}

+    const nameCleaned = htmlSanitizer.stripAllTags(reqBody.name)
+
    // Validation
-    if (!reqBody.name || !reqBody.libraryId) {
+    if (!nameCleaned || !reqBody.libraryId) {
      return res.status(400).send('Invalid collection data')
    }
    if (reqBody.description && typeof reqBody.description !== 'string') {
@ -65,7 +68,7 @@ class CollectionController {
      newCollection = await Database.collectionModel.create(
        {
          libraryId: reqBody.libraryId,
-          name: reqBody.name,
+          name: nameCleaned,
          description: reqBody.description || null
        },
        { transaction }
@ -145,9 +148,12 @@ class CollectionController {
      collectionUpdatePayload.description = req.body.description
      wasUpdated = true
    }
-    if (req.body.name !== undefined && req.body.name !== req.collection.name) {
-      collectionUpdatePayload.name = req.body.name
-      wasUpdated = true
+    if (req.body.name !== undefined && typeof req.body.name === 'string') {
+      const nameCleaned = htmlSanitizer.stripAllTags(req.body.name)
+      if (nameCleaned !== req.collection.name) {
+        collectionUpdatePayload.name = nameCleaned
+        wasUpdated = true
+      }
    }

    if (wasUpdated) {
--- a/server/controllers/PlaylistController.js
+++ b/server/controllers/PlaylistController.js
@ -2,6 +2,7 @@ const { Request, Response, NextFunction } = require('express')
 const Logger = require('../Logger')
 const SocketAuthority = require('../SocketAuthority')
 const Database = require('../Database')
+const htmlSanitizer = require('../utils/htmlSanitizer')

 /**
 * @typedef RequestUserObject
@ -29,7 +30,8 @@ class PlaylistController {
    const reqBody = req.body || {}

    // Validation
-    if (!reqBody.name || !reqBody.libraryId) {
+    const nameCleaned = htmlSanitizer.stripAllTags(reqBody.name)
+    if (!nameCleaned || !reqBody.libraryId) {
      return res.status(400).send('Invalid playlist data')
    }
    if (reqBody.description && typeof reqBody.description !== 'string') {
@ -84,7 +86,7 @@ class PlaylistController {
        {
          libraryId: reqBody.libraryId,
          userId: req.user.id,
-          name: reqBody.name,
+          name: nameCleaned,
          description: reqBody.description || null
        },
        { transaction }
@ -174,7 +176,11 @@ class PlaylistController {
    }

    const playlistUpdatePayload = {}
-    if (reqBody.name) playlistUpdatePayload.name = reqBody.name
+
+    const nameCleaned = htmlSanitizer.stripAllTags(reqBody.name)
+    if (nameCleaned) {
+      playlistUpdatePayload.name = nameCleaned
+    }
    if (reqBody.description) playlistUpdatePayload.description = reqBody.description

    // Update name and description
--- a/server/controllers/PodcastController.js
+++ b/server/controllers/PodcastController.js
@ -412,6 +412,12 @@ class PodcastController {
            Logger.debug(`[PodcastController] Sanitized description from "${req.body[key]}" to "${sanitizedDescription}"`)
            req.body[key] = sanitizedDescription
          }
+        } else if (key === 'subtitle' && req.body[key]) {
+          const sanitizedSubtitle = htmlSanitizer.sanitize(req.body[key])
+          if (sanitizedSubtitle !== req.body[key]) {
+            Logger.debug(`[PodcastController] Sanitized subtitle from "${req.body[key]}" to "${sanitizedSubtitle}"`)
+            req.body[key] = sanitizedSubtitle
+          }
        }

        updatePayload[key] = req.body[key]