fix: escape JSON in <script>; popup player picks edited if available

P1: views were emitting <%- JSON.stringify(...) %> directly inside <script>
tags. A video title like "</script><script>alert(1)</script>" would break
out of the script and inject HTML. Added res.locals.jsonForScript() that
escapes <, >, &, U+2028, U+2029 before output and switched all three
templates (op/editor.ejs, op/folder.ejs, folder.ejs) to use it.

P2: The internal popup player in /folder/:name always hit
/api/video/:id/file which returned the original. Made the file endpoint
default to the edited variant when present and only fall back to original
when ?edited=0 is given. Editor page passes ?edited=0 explicitly so the
operator always re-trims from the original. Standalone /player/:id no
longer needs the ?edited=1 hint.

Verified: rendered editor HTML escapes </script> payloads to \u003c/script,
default file endpoint serves edited.mp4 while ?edited=0 serves original.mp4.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

src/routes/public.ts

@@ -65,9 +65,12 @@ publicRouter.get('/api/video/:videoId/file', async (req, res, next) => {
       res.status(404).end()
       return
     }
-    const wantEdited = req.query.edited === '1' || req.query.edited === 'true'
+    // 기본 동작: 편집본(edited)이 있으면 그것을 재생한다. 원본을 강제로 보고 싶으면 ?edited=0.
+    // 명시적으로 ?edited=1 을 줘도 편집본이 있을 때만 적용된다.
+    const editedParam = typeof req.query.edited === 'string' ? req.query.edited : ''
+    const wantOriginal = editedParam === '0' || editedParam === 'false'
     const fileName =
-      wantEdited && found.meta.editedFile ? found.meta.editedFile : found.meta.originalFile
+      !wantOriginal && found.meta.editedFile ? found.meta.editedFile : found.meta.originalFile
     if (!fileName || fileName.includes('%(ext)s')) {
       res.status(404).end()
       return