From d1fd81c38263f4932f28ed24c3042272c901a594 Mon Sep 17 00:00:00 2001
From: Shadowghost <Ghost_of_Stone@web.de>
Date: Mon, 30 Mar 2026 09:40:01 +0200
Subject: [PATCH] Fix GHSA v2jv-54xj-h76w

---
 Jellyfin.Api/Controllers/SyncPlayController.cs         | 2 +-
 Jellyfin.Api/Models/SyncPlayDtos/NewGroupRequestDto.cs | 3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/Jellyfin.Api/Controllers/SyncPlayController.cs b/Jellyfin.Api/Controllers/SyncPlayController.cs
index 3d6874079d..991fb87144 100644
--- a/Jellyfin.Api/Controllers/SyncPlayController.cs
+++ b/Jellyfin.Api/Controllers/SyncPlayController.cs
@@ -58,7 +58,7 @@ public class SyncPlayController : BaseJellyfinApiController
         [FromBody, Required] NewGroupRequestDto requestData)
     {
         var currentSession = await RequestHelpers.GetSession(_sessionManager, _userManager, HttpContext).ConfigureAwait(false);
-        var syncPlayRequest = new NewGroupRequest(requestData.GroupName);
+        var syncPlayRequest = new NewGroupRequest(requestData.GroupName.Trim());
         return Ok(_syncPlayManager.NewGroup(currentSession, syncPlayRequest, CancellationToken.None));
     }
 
diff --git a/Jellyfin.Api/Models/SyncPlayDtos/NewGroupRequestDto.cs b/Jellyfin.Api/Models/SyncPlayDtos/NewGroupRequestDto.cs
index 32a3bb444c..2e1889fed4 100644
--- a/Jellyfin.Api/Models/SyncPlayDtos/NewGroupRequestDto.cs
+++ b/Jellyfin.Api/Models/SyncPlayDtos/NewGroupRequestDto.cs
@@ -1,3 +1,5 @@
+using System.ComponentModel.DataAnnotations;
+
 namespace Jellyfin.Api.Models.SyncPlayDtos;
 
 /// <summary>
@@ -17,5 +19,6 @@ public class NewGroupRequestDto
     /// Gets or sets the group name.
     /// </summary>
     /// <value>The name of the new group.</value>
+    [StringLength(200, ErrorMessage = "Group name must not exceed 200 characters.")]
     public string GroupName { get; set; }
 }