SVG files uploaded as icons are saved without sanitisation. Embedded
script tags, event handlers, foreignObject elements, and javascript:
URIs in SVG content enable stored XSS.
Adds sanitizeSvg() that strips dangerous elements and attributes
before saving. Applied via uploadIcon() so template imports are
also covered.
Co-authored-by: bitr8 <bitr8@users.noreply.github.com>
PlaceholderDiscovery re-verified TV items via isPlaceholderItem() which
returns false during library-level scans (no Children metadata in Plex
response). The marker file on disk already proves it's an Agregarr-created
placeholder, so trust that instead of re-checking a broken API path.
Also: find S00E00 by episode index not array position, and use async
placeholder detection in the orphan scan for definitive TV identification.
Ref #414
Co-authored-by: bitr8 <bitr8@users.noreply.github.com>
vm2 is listed as a dependency but never imported anywhere in the
codebase. It has been deprecated and has multiple sandbox escape
CVEs. Removing it.
Co-authored-by: bitr8 <bitr8@users.noreply.github.com>
Longstanding Plex bug not respecting label restrictions for Collections on Home/Recommended has been
fixed in PMS Beta 1.43.1.10540, confirmed working with Agregarr. Also removes previous easter egg
which enabled the option (intended for use when the project was going to be a PR for Overseerr,
allowing use of the option without waiting for an update)
fix#112
Maintainerr v3 renamed `plexId` (number) to `mediaServerId` (string)
in their API response. The overlay context builder compared against the
old field, silently failing to match any media items so daysUntilAction
never populated.
Read `mediaServerId` with fallback to `plexId`, compare as strings.
Supports both Maintainerr v2 and v3.
Fixes#501
Co-authored-by: bitr8 <bitr8@users.noreply.github.com>
Plex returns seasons as Children.Directory (not Children.Metadata)
when using ?includeChildren=1. All placeholder detection code only
checked Children.Metadata, so isPlaceholderItem() always returned
false for TV shows — skipping title fixes and triggering false
cleanup of valid placeholders.
Added Metadata || Directory fallback across all detection paths,
type casts, and getChildrenMetadata() API helper.
Fixes#414
Co-authored-by: bitr8 <bitr8@users.noreply.github.com>
When an item isn't yet visible in Plex, indexOf returns -1 and
splice(-1, 1) removes the last element of the tracking array,
corrupting all subsequent move decisions.
Co-authored-by: bitr8 <bitr8@users.noreply.github.com>
Add pagination loop to process all library items instead of only the first 50. Use
plexApi.getLibraries() instead of OverlayLibraryConfig so libraries without overlays are included.
#433
The overlay test endpoint checks every collection for item membership
sequentially. With ~150 collections at ~250ms each, the request takes
~37 seconds and the frontend times out.
Batched the getCollectionItems() calls with Promise.all at concurrency
10, matching the pattern in OverlayLibraryService. Brings the check
down to ~4 seconds for 150 collections.
Fixes#468
Co-authored-by: bitr8 <bitr8@users.noreply.github.com>
lookupByMal() iterates all ~25k anime ID rows to find a MAL ID match.
MAL sources can fetch thousands of items, each calling lookupByMal(),
so preview requests time out before returning results.
Added a _byMal Map index built during loadAnimeIds(), matching the
existing _byAniDB pattern. Lookups are now O(1) instead of O(n).
Fixes#480
Co-authored-by: bitr8 <bitr8@users.noreply.github.com>
* FIX: ADD-OR dropdown was not letting you change it to OR
* FIX: make it so that TMDB cast,crew,people filters show the name with the ID
* FIX: add name when adding person on TMDB as an ID number
* FIX: TMDB custom collection now saves settings on update
* FIX: after deleting a TMDB custom collection, you could not make a new one with the same name
* FIX: hydration was not working on large groups of IDs
* fix: move IMDb rating position out of conflict with top banner tiles
* fix: move dolby vision, hdr position down to prevent conflict with new imdb position
* - Updated `hideIndividualItems` description in settings to clarify support for both Coming Soon and TMDB auto_franchise collections.
- Improved `ComingSoonCollectionSync` to filter items based on media type and apply collection exclusions.
- Added logic to set collection mode when `hideIndividualItems` is enabled, ensuring individual items are hidden in the library tab.
- Adjusted UI components to reflect changes in collection mode options for TMDB and Coming Soon collections.
* fix(comingsoon): guard missingItems before quick-sync storage
.find() only returned the first TV/movie library with placeholders
enabled, silently skipping any additional libraries. Replace with
.filter() + Set to discover and process placeholders across all
libraries.
Co-authored-by: bitr8 <bitr8@users.noreply.github.com>
* feat: separate placeholder filters independent of auto-request filters
Add placeholderMinimumYear, placeholderMinimumImdbRating,
placeholderMinimumRottenTomatoesRating,
placeholderMinimumRottenTomatoesAudienceRating, and
placeholderFilterSettings to CollectionConfig and
MultiSourceCollectionConfig.
buildPlaceholderFilterConfig() helper swaps placeholder values into
standard filter fields so MissingItemFilterService works unchanged.
Updated BaseCollectionSync and MultiSourceOrchestrator call sites.
Collapsible "Placeholder Filters" section in collection edit form
reuses FilterWithMode/KeywordFilterWithMode. Auto-expands when
editing configs with existing values.
Fixed pre-existing gap: keywords missing from
MultiSourceCollectionConfig.filterSettings type.
---------
Co-authored-by: bitr8 <bitr8@users.noreply.github.com>
Co-authored-by: Tom Wheeler <thomas.wheeler.tcw@gmail.com>
Multi-source config assembly was missing minimumImdbRating,
minimumRottenTomatoesRating, minimumRottenTomatoesAudienceRating,
and seasonGrabOrder. Items below the rating threshold were not
being filtered for multi-source collections.
re #440
Co-authored-by: bitr8 <bitr8@users.noreply.github.com>
Movie placeholder labels were only re-applied by Coming Soon collections,
so movies in other collection types (Letterboxd, IMDB, Trakt, etc.) could
permanently leak into filtered hubs if the initial label application failed.
TV placeholder title fixes returned false on timeout but the result was
never checked, giving no visibility into failures.
- Re-apply trailer-placeholder label for all movie placeholders during
global discovery pass
- Log warnings when episode title or movie label application fails
- Track failure counts in discovery summary logs
Relates to #414
Co-authored-by: bitr8 <bitr8@users.noreply.github.com>
Collections require the /library/sections/{id}/all?type=18 endpoint for
metadata updates, not /library/metadata/{ratingKey}. This fixes dynamic
cycle titles (DYNAMIC_CYCLE_TITLE) not updating in Plex after first sync.
- Add libraryKey parameter to updateCollectionTitle()
- Use correct Plex API endpoint for collection metadata updates
- Lock title field to prevent Plex overwriting
- Propagate errors instead of swallowing them
Fixes#432
Co-authored-by: bitr8 <bitr8@users.noreply.github.com>
originallyAvailableAt on type=2 (shows) returns the show's premiere
date, not the latest episode's air date. A show like The Rookie
(premiered 2018) wouldn't appear even with new episodes airing.
Changed to episode.originallyAvailableAt:desc which sorts shows by
their most recent episode's air date.
Fixes#442
Co-authored-by: bitr8 <bitr8@users.noreply.github.com>
searchMulti returns all media types without known_for_department,
causing wrong person selection when names collide (e.g., actor
"Ingmar Bergman" chosen over the director). Switch to searchPerson
and rank results by department match, profile image, then popularity.
Relates to #443
Co-authored-by: bitr8 <bitr8@users.noreply.github.com>
Letterboxd film pages embed exact TMDB links (data-track-action="TMDb"),
but the current resolution relies entirely on fuzzy title+year search.
Short or common titles like "Columbus", "Flow", and "Moonlight" frequently
resolve to wrong results because the scoring gives near-identical scores
to partial title matches and off-by-one year differences.
This adds film page scraping as the primary resolution method, with the
existing TMDB search as fallback.
- Scrape individual film pages for TMDB ID before attempting title search
- Batch scraping with concurrency limit (5 concurrent, 200ms delay)
- Containment scoring now scales by title length ratio instead of flat 0.9
- Year scoring: exact match 0.3, +/-1 year 0.2 (was 0.3 for both)
Fixes#448
Co-authored-by: bitr8 <bitr8@users.noreply.github.com>
The checkbox was in the UI but the field wasn't in the type definition
or save payload, so changes were never persisted.
Fixes#438
Co-authored-by: bitr8 <bitr8@users.noreply.github.com>
* feat(overlays): add US date formats and standalone weekday option
Adds new date format options for overlay templates:
- M/D: US date without leading zeros (1/5)
- DDD MM/DD: weekday + US date (MON 12/20)
- DDD M/D: weekday + US date no padding (MON 1/5)
- DDD: standalone abbreviated weekday (MON)
Fixes#430
* feat(overlays): add UK/AU date formats without padding
* fix(overlays): use unambiguous dates in format examples
---------
Co-authored-by: bitr8 <bitr8@users.noreply.github.com>
