Sanitize media item & episode description on update

Fix safari specific issue with line clamp on description #4348
Merge pull request #4349 from advplyr/trix_prevent_attachments
2026-01-01 04:00:45 -05:00 · 2025-05-31 17:01:58 -05:00 · 2025-05-30 17:33:15 -05:00 · 2025-05-29 17:37:31 -05:00
4 changed files with 41 additions and 1 deletions
--- a/client/pages/item/_id/index.vue
+++ b/client/pages/item/_id/index.vue
@@ -819,6 +819,17 @@ export default {
  -webkit-line-clamp: 4;
  max-height: calc(6 * 1lh);
 }
+
+/* Safari-specific fix for the description clamping */
+@supports (-webkit-touch-callout: none) {
+  #item-description {
+    position: relative;
+    display: block;
+    overflow: hidden;
+    max-height: calc(6 * 1lh);
+  }
+}
+
 #item-description.show-full {
  -webkit-line-clamp: unset;
  max-height: 999rem;
--- a/server/controllers/PodcastController.js
+++ b/server/controllers/PodcastController.js
@@ -9,6 +9,7 @@ const fs = require('../libs/fsExtra')
 const { getPodcastFeed, findMatchingEpisodes } = require('../utils/podcastUtils')
 const { getFileTimestampsWithIno, filePathToPOSIX } = require('../utils/fileUtils')
 const { validateUrl } = require('../utils/index')
+const htmlSanitizer = require('../utils/htmlSanitizer')

 const Scanner = require('../scanner/Scanner')
 const CoverManager = require('../managers/CoverManager')
@@ -404,6 +405,15 @@ class PodcastController {
    const supportedStringKeys = ['title', 'subtitle', 'description', 'pubDate', 'episode', 'season', 'episodeType']
    for (const key in req.body) {
      if (supportedStringKeys.includes(key) && typeof req.body[key] === 'string') {
+        // Sanitize description HTML
+        if (key === 'description' && req.body[key]) {
+          const sanitizedDescription = htmlSanitizer.sanitize(req.body[key])
+          if (sanitizedDescription !== req.body[key]) {
+            Logger.debug(`[PodcastController] Sanitized description from "${req.body[key]}" to "${sanitizedDescription}"`)
+            req.body[key] = sanitizedDescription
+          }
+        }
+
        updatePayload[key] = req.body[key]
      } else if (key === 'chapters' && Array.isArray(req.body[key]) && req.body[key].every((ch) => typeof ch === 'object' && ch.title && ch.start)) {
        updatePayload[key] = req.body[key]
--- a/server/models/Book.js
+++ b/server/models/Book.js
@@ -377,8 +377,17 @@ class Book extends Model {
        if (typeof payload.metadata[key] == 'number') {
          payload.metadata[key] = String(payload.metadata[key])
        }
-          
+
        if ((typeof payload.metadata[key] === 'string' || payload.metadata[key] === null) && this[key] !== payload.metadata[key]) {
+          // Sanitize description HTML
+          if (key === 'description' && payload.metadata[key]) {
+            const sanitizedDescription = htmlSanitizer.sanitize(payload.metadata[key])
+            if (sanitizedDescription !== payload.metadata[key]) {
+              Logger.debug(`[Book] "${this.title}" Sanitized description from "${payload.metadata[key]}" to "${sanitizedDescription}"`)
+              payload.metadata[key] = sanitizedDescription
+            }
+          }
+
          this[key] = payload.metadata[key] || null

          if (key === 'title') {
--- a/server/models/Podcast.js
+++ b/server/models/Podcast.js
@@ -2,6 +2,7 @@ const { DataTypes, Model } = require('sequelize')
 const { getTitlePrefixAtEnd, getTitleIgnorePrefix } = require('../utils')
 const Logger = require('../Logger')
 const libraryItemsPodcastFilters = require('../utils/queries/libraryItemsPodcastFilters')
+const htmlSanitizer = require('../utils/htmlSanitizer')

 /**
 * @typedef PodcastExpandedProperties
@@ -215,6 +216,15 @@ class Podcast extends Model {
          newKey = 'itunesPageURL'
        }
        if ((typeof payload.metadata[key] === 'string' || payload.metadata[key] === null) && payload.metadata[key] !== this[newKey]) {
+          // Sanitize description HTML
+          if (key === 'description' && payload.metadata[key]) {
+            const sanitizedDescription = htmlSanitizer.sanitize(payload.metadata[key])
+            if (sanitizedDescription !== payload.metadata[key]) {
+              Logger.debug(`[Podcast] "${this.title}" Sanitized description from "${payload.metadata[key]}" to "${sanitizedDescription}"`)
+              payload.metadata[key] = sanitizedDescription
+            }
+          }
+
          this[newKey] = payload.metadata[key] || null

          if (key === 'title') {
Author	SHA1	Message	Date
advplyr	9052ceedd3	Sanitize media item & episode description on update	2025-05-31 17:01:58 -05:00
advplyr	4968864498	Fix safari specific issue with line clamp on description #4348	2025-05-30 17:33:15 -05:00
advplyr	f44c2d9e11	Merge pull request #4349 from advplyr/trix_prevent_attachments Update rich text editor to prevent pasting in images from the browser	2025-05-29 17:37:31 -05:00