From 3f4bcf52d0a99ab5f3e7391d9372b5a080c7a220 Mon Sep 17 00:00:00 2001
From: claude-bot <claude-bot@tkrmagid.kr>
Date: Fri, 15 May 2026 16:49:03 +0900
Subject: [PATCH] fix: escape JSON in <script>; popup player picks edited if
 available

P1: views were emitting <%- JSON.stringify(...) %> directly inside <script>
tags. A video title like "</script><script>alert(1)</script>" would break
out of the script and inject HTML. Added res.locals.jsonForScript() that
escapes <, >, &, U+2028, U+2029 before output and switched all three
templates (op/editor.ejs, op/folder.ejs, folder.ejs) to use it.

P2: The internal popup player in /folder/:name always hit
/api/video/:id/file which returned the original. Made the file endpoint
default to the edited variant when present and only fall back to original
when ?edited=0 is given. Editor page passes ?edited=0 explicitly so the
operator always re-trims from the original. Standalone /player/:id no
longer needs the ?edited=1 hint.

Verified: rendered editor HTML escapes </script> payloads to \u003c/script,
default file endpoint serves edited.mp4 while ?edited=0 serves original.mp4.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 src/app.ts           | 14 ++++++++++++++
 src/routes/public.ts |  7 +++++--
 views/folder.ejs     |  2 +-
 views/op/editor.ejs  |  6 +++---
 views/op/folder.ejs  |  2 +-
 views/player.ejs     |  2 +-
 6 files changed, 25 insertions(+), 8 deletions(-)

diff --git a/src/app.ts b/src/app.ts
index 59b29f6..19e616c 100644
--- a/src/app.ts
+++ b/src/app.ts
@@ -26,6 +26,20 @@ async function main(): Promise<void> {
   app.use(express.urlencoded({ extended: true }))
   app.use(express.json({ limit: '4mb' }))
 
+  // EJS 에서 <script> 안에 JSON 을 박을 때 XSS / U+2028 / U+2029 가 깨지는 걸 막는 헬퍼.
+  // 사용 예: <script>window.X = <%- jsonForScript(x) %></script>
+  app.use((_req, res, next) => {
+    res.locals.jsonForScript = (value: unknown): string => {
+      return JSON.stringify(value)
+        .replace(/</g, '\\u003c')
+        .replace(/>/g, '\\u003e')
+        .replace(/&/g, '\\u0026')
+        .replace(/\u2028/g, '\\u2028')
+        .replace(/\u2029/g, '\\u2029')
+    }
+    next()
+  })
+
   app.use(session({
     secret: process.env.SESSION_SECRET ?? 'make-video-site-dev-secret',
     resave: false,
diff --git a/src/routes/public.ts b/src/routes/public.ts
index a252c70..51908ab 100644
--- a/src/routes/public.ts
+++ b/src/routes/public.ts
@@ -65,9 +65,12 @@ publicRouter.get('/api/video/:videoId/file', async (req, res, next) => {
       res.status(404).end()
       return
     }
-    const wantEdited = req.query.edited === '1' || req.query.edited === 'true'
+    // 기본 동작: 편집본(edited)이 있으면 그것을 재생한다. 원본을 강제로 보고 싶으면 ?edited=0.
+    // 명시적으로 ?edited=1 을 줘도 편집본이 있을 때만 적용된다.
+    const editedParam = typeof req.query.edited === 'string' ? req.query.edited : ''
+    const wantOriginal = editedParam === '0' || editedParam === 'false'
     const fileName =
-      wantEdited && found.meta.editedFile ? found.meta.editedFile : found.meta.originalFile
+      !wantOriginal && found.meta.editedFile ? found.meta.editedFile : found.meta.originalFile
     if (!fileName || fileName.includes('%(ext)s')) {
       res.status(404).end()
       return
diff --git a/views/folder.ejs b/views/folder.ejs
index fb46d1c..1ff0072 100644
--- a/views/folder.ejs
+++ b/views/folder.ejs
@@ -43,7 +43,7 @@
   </div>
 
   <script>
-    window.__SITE__ = { folder: <%- JSON.stringify(folder) %> }
+    window.__SITE__ = { folder: <%- jsonForScript(folder) %> }
   </script>
   <script src="/static/player.js"></script>
 </body>
diff --git a/views/op/editor.ejs b/views/op/editor.ejs
index 2ab4dd2..7cb04ac 100644
--- a/views/op/editor.ejs
+++ b/views/op/editor.ejs
@@ -35,7 +35,7 @@
 
       <div id="videoPanel" class="videoPanel" <% if (!video) { %>hidden<% } %>>
         <video id="editVideo" controls preload="metadata"
-          <% if (video) { %>src="/api/video/<%= video.id %>/file"<% } %>></video>
+          <% if (video) { %>src="/api/video/<%= video.id %>/file?edited=0"<% } %>></video>
         <div class="trimControls">
           <label>
             <span>시작(초)</span>
@@ -55,8 +55,8 @@
 
   <script>
     window.__EDITOR__ = {
-      folder: <%- JSON.stringify(folder) %>,
-      video: <%- JSON.stringify(video) %>
+      folder: <%- jsonForScript(folder) %>,
+      video: <%- jsonForScript(video) %>
     }
   </script>
   <script src="/static/editor.js"></script>
diff --git a/views/op/folder.ejs b/views/op/folder.ejs
index 52a71f6..e6bf02c 100644
--- a/views/op/folder.ejs
+++ b/views/op/folder.ejs
@@ -43,7 +43,7 @@
   </div>
 
   <script>
-    window.__OP__ = { folder: <%- JSON.stringify(folder) %> }
+    window.__OP__ = { folder: <%- jsonForScript(folder) %> }
   </script>
   <script src="/static/folder.js"></script>
 </body>
diff --git a/views/player.ejs b/views/player.ejs
index cc17820..6e8be7a 100644
--- a/views/player.ejs
+++ b/views/player.ejs
@@ -22,7 +22,7 @@
     </section>
 
     <div class="standalonePlayer">
-      <video controls autoplay preload="metadata" src="/api/video/<%= video.id %>/file<%= video.editedFile ? '?edited=1' : '' %>"></video>
+      <video controls autoplay preload="metadata" src="/api/video/<%= video.id %>/file"></video>
     </div>
   </main>
 </body>