From 0e7163eb2cf8486f009cbffeab92eff388cdbbe1 Mon Sep 17 00:00:00 2001
From: Deluan <deluan@navidrome.org>
Date: Wed, 11 Nov 2020 12:26:47 -0500
Subject: [PATCH] Sanitize comments and lyrics on import, as they are rendered
 as HTML on the UI

---
 scanner/mapping.go | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/scanner/mapping.go b/scanner/mapping.go
index b6723c5dc..5deba3cdd 100644
--- a/scanner/mapping.go
+++ b/scanner/mapping.go
@@ -12,14 +12,16 @@ import (
 	"github.com/deluan/navidrome/scanner/metadata"
 	"github.com/deluan/navidrome/utils"
 	"github.com/kennygrant/sanitize"
+	"github.com/microcosm-cc/bluemonday"
 )
 
 type mediaFileMapper struct {
 	rootFolder string
+	policy     *bluemonday.Policy
 }
 
 func newMediaFileMapper(rootFolder string) *mediaFileMapper {
-	return &mediaFileMapper{rootFolder: rootFolder}
+	return &mediaFileMapper{rootFolder: rootFolder, policy: bluemonday.UGCPolicy()}
 }
 
 func (s *mediaFileMapper) toMediaFile(md metadata.Metadata) model.MediaFile {
@@ -59,8 +61,8 @@ func (s *mediaFileMapper) toMediaFile(md metadata.Metadata) model.MediaFile {
 	mf.MbzAlbumArtistID = md.MbzAlbumArtistID()
 	mf.MbzAlbumType = md.MbzAlbumType()
 	mf.MbzAlbumComment = md.MbzAlbumComment()
-	mf.Comment = md.Comment()
-	mf.Lyrics = md.Lyrics()
+	mf.Comment = s.policy.Sanitize(md.Comment())
+	mf.Lyrics = s.policy.Sanitize(md.Lyrics())
 
 	// TODO Get Creation time. https://github.com/djherbis/times ?
 	mf.CreatedAt = md.ModificationTime()