Fix XSS vulnerability in error page

dev/releases/3.2.yml

@@ -33,6 +33,7 @@ minor_release_name: "Nicole"
     - "[Technical] Upgraded all third party modules to use requests module and send User Agent"
 3.2.2:
     notes:
+    - "[Security] Fixed XSS vulnerability in error page (Disclosed by https://github.com/NULLYUKI)"
     - "[Architecture] Reworked the default directory selection"
     - "[Feature] Added option to show scrobbles on tile charts"
     - "[Bugfix] Fixed Last.fm authentication"

maloja/__pkginfo__.py

@@ -4,7 +4,7 @@
 # you know what f*ck it
 # this is hardcoded for now because of that damn project / package name discrepancy
 # i'll fix it one day
-VERSION = "3.2.1"
+VERSION = "3.2.2"
 HOMEPAGE = "https://github.com/krateng/maloja"
 
 

maloja/data_files/config/rules/predefined/krateng_kpopgirlgroups.tsv

@@ -217,6 +217,8 @@ countas			Pristin V		Pristin
 
 # CLC
 countas			Sorn				CLC
+countas			Yeeun				CLC
+countas			Seungyeon			CLC
 
 # Popular Remixes
 artistintitle	Areia Remix				Areia

maloja/web/jinja/error.jinja

@@ -8,8 +8,8 @@
 				<div style="background-image:url('/favicon.png')"></div>
 			</td>
 			<td class="text">
-				<h1>{{ error_desc }}</h1><br/>
+				<h1>{{ error_desc | e }}</h1><br/>
-				{{ error_full_desc }}
+				{{ error_full_desc | e }}
 
 			</td>
 		</tr>

pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "malojaserver"
-version = "3.2.1"
+version = "3.2.2"
 description = "Self-hosted music scrobble database"
 readme = "./README.md"
 requires-python = ">=3.10"