From a5362de9cc0a6d69c96679bce94eb831d381ebba Mon Sep 17 00:00:00 2001
From: advplyr <advplyr@protonmail.com>
Date: Thu, 23 Apr 2026 14:34:59 -0500
Subject: [PATCH] Update podcast createFromRequest to sanitize html description

---
 server/models/Podcast.js | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/server/models/Podcast.js b/server/models/Podcast.js
index a96e1dd02..02f8981c8 100644
--- a/server/models/Podcast.js
+++ b/server/models/Podcast.js
@@ -89,6 +89,9 @@ class Podcast extends Model {
       }
     })
 
+    const rawDescription = typeof payload.metadata.description === 'string' ? payload.metadata.description : null
+    const description = rawDescription ? htmlSanitizer.sanitize(rawDescription) : null
+
     return this.create(
       {
         title,
@@ -97,7 +100,7 @@ class Podcast extends Model {
         releaseDate: typeof payload.metadata.releaseDate === 'string' ? payload.metadata.releaseDate : null,
         feedURL: typeof payload.metadata.feedUrl === 'string' ? payload.metadata.feedUrl : null,
         imageURL: typeof payload.metadata.imageUrl === 'string' ? payload.metadata.imageUrl : null,
-        description: typeof payload.metadata.description === 'string' ? payload.metadata.description : null,
+        description,
         itunesPageURL: typeof payload.metadata.itunesPageUrl === 'string' ? payload.metadata.itunesPageUrl : null,
         itunesId: typeof payload.metadata.itunesId === 'string' ? payload.metadata.itunesId : null,
         itunesArtistId: typeof payload.metadata.itunesArtistId === 'string' ? payload.metadata.itunesArtistId : null,