fix: escape JSON in <script>; popup player picks edited if available
P1: views were emitting <%- JSON.stringify(...) %> directly inside <script> tags. A video title like "</script><script>alert(1)</script>" would break out of the script and inject HTML. Added res.locals.jsonForScript() that escapes <, >, &, U+2028, U+2029 before output and switched all three templates (op/editor.ejs, op/folder.ejs, folder.ejs) to use it. P2: The internal popup player in /folder/:name always hit /api/video/:id/file which returned the original. Made the file endpoint default to the edited variant when present and only fall back to original when ?edited=0 is given. Editor page passes ?edited=0 explicitly so the operator always re-trims from the original. Standalone /player/:id no longer needs the ?edited=1 hint. Verified: rendered editor HTML escapes </script> payloads to \u003c/script, default file endpoint serves edited.mp4 while ?edited=0 serves original.mp4. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
14
src/app.ts
14
src/app.ts
@@ -26,6 +26,20 @@ async function main(): Promise<void> {
|
||||
app.use(express.urlencoded({ extended: true }))
|
||||
app.use(express.json({ limit: '4mb' }))
|
||||
|
||||
// EJS 에서 <script> 안에 JSON 을 박을 때 XSS / U+2028 / U+2029 가 깨지는 걸 막는 헬퍼.
|
||||
// 사용 예: <script>window.X = <%- jsonForScript(x) %></script>
|
||||
app.use((_req, res, next) => {
|
||||
res.locals.jsonForScript = (value: unknown): string => {
|
||||
return JSON.stringify(value)
|
||||
.replace(/</g, '\\u003c')
|
||||
.replace(/>/g, '\\u003e')
|
||||
.replace(/&/g, '\\u0026')
|
||||
.replace(/\u2028/g, '\\u2028')
|
||||
.replace(/\u2029/g, '\\u2029')
|
||||
}
|
||||
next()
|
||||
})
|
||||
|
||||
app.use(session({
|
||||
secret: process.env.SESSION_SECRET ?? 'make-video-site-dev-secret',
|
||||
resave: false,
|
||||
|
||||
Reference in New Issue
Block a user