From febaff97228b37a192f2630aa331cac5e5c3e98e Mon Sep 17 00:00:00 2001
From: krateng <git.noreply@krateng.ch>
Date: Sun, 17 Dec 2023 03:12:54 +0100
Subject: [PATCH] Fix XSS vulnerability in error page

---
 dev/releases/3.2.yml                                          | 1 +
 maloja/__pkginfo__.py                                         | 2 +-
 .../config/rules/predefined/krateng_kpopgirlgroups.tsv        | 2 ++
 maloja/web/jinja/error.jinja                                  | 4 ++--
 pyproject.toml                                                | 2 +-
 5 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/dev/releases/3.2.yml b/dev/releases/3.2.yml
index 8e5b37b7..3c890e60 100644
--- a/dev/releases/3.2.yml
+++ b/dev/releases/3.2.yml
@@ -33,6 +33,7 @@ minor_release_name: "Nicole"
     - "[Technical] Upgraded all third party modules to use requests module and send User Agent"
 3.2.2:
     notes:
+    - "[Security] Fixed XSS vulnerability in error page (Disclosed by https://github.com/NULLYUKI)"
     - "[Architecture] Reworked the default directory selection"
     - "[Feature] Added option to show scrobbles on tile charts"
     - "[Bugfix] Fixed Last.fm authentication"
\ No newline at end of file
diff --git a/maloja/__pkginfo__.py b/maloja/__pkginfo__.py
index 47c8e251..6bd621b2 100644
--- a/maloja/__pkginfo__.py
+++ b/maloja/__pkginfo__.py
@@ -4,7 +4,7 @@
 # you know what f*ck it
 # this is hardcoded for now because of that damn project / package name discrepancy
 # i'll fix it one day
-VERSION = "3.2.1"
+VERSION = "3.2.2"
 HOMEPAGE = "https://github.com/krateng/maloja"
 
 
diff --git a/maloja/data_files/config/rules/predefined/krateng_kpopgirlgroups.tsv b/maloja/data_files/config/rules/predefined/krateng_kpopgirlgroups.tsv
index 840bd846..6bd7cf78 100644
--- a/maloja/data_files/config/rules/predefined/krateng_kpopgirlgroups.tsv
+++ b/maloja/data_files/config/rules/predefined/krateng_kpopgirlgroups.tsv
@@ -217,6 +217,8 @@ countas			Pristin V		Pristin
 
 # CLC
 countas			Sorn				CLC
+countas			Yeeun				CLC
+countas			Seungyeon			CLC
 
 # Popular Remixes
 artistintitle	Areia Remix				Areia
diff --git a/maloja/web/jinja/error.jinja b/maloja/web/jinja/error.jinja
index 3654bd3e..9904316d 100644
--- a/maloja/web/jinja/error.jinja
+++ b/maloja/web/jinja/error.jinja
@@ -8,8 +8,8 @@
 				<div style="background-image:url('/favicon.png')"></div>
 			</td>
 			<td class="text">
-				<h1>{{ error_desc }}</h1><br/>
-				{{ error_full_desc }}
+				<h1>{{ error_desc | e }}</h1><br/>
+				{{ error_full_desc | e }}
 
 			</td>
 		</tr>
diff --git a/pyproject.toml b/pyproject.toml
index e5438727..3a56757c 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "malojaserver"
-version = "3.2.1"
+version = "3.2.2"
 description = "Self-hosted music scrobble database"
 readme = "./README.md"
 requires-python = ">=3.10"