fix: escape JSON in <script>; popup player picks edited if available

P1: views were emitting <%- JSON.stringify(...) %> directly inside <script> tags. A video title like "</script><script>alert(1)</script>" would break out of the script and inject HTML. Added res.locals.jsonForScript() that escapes <, >, &, U+2028, U+2029 before output and switched all three templates (op/editor.ejs, op/folder.ejs, folder.ejs) to use it. P2: The internal popup player in /folder/:name always hit /api/video/:id/file which returned the original. Made the file endpoint default to the edited variant when present and only fall back to original when ?edited=0 is given. Editor page passes ?edited=0 explicitly so the operator always re-trims from the original. Standalone /player/:id no longer needs the ?edited=1 hint. Verified: rendered editor HTML escapes </script> payloads to \u003c/script, default file endpoint serves edited.mp4 while ?edited=0 serves original.mp4. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-15 16:49:03 +09:00
parent 0db04cf5cd
commit 3f4bcf52d0
6 changed files with 25 additions and 8 deletions
--- a/views/folder.ejs
+++ b/views/folder.ejs
@@ -43,7 +43,7 @@
  </div>

  <script>
-    window.__SITE__ = { folder: <%- JSON.stringify(folder) %> }
+    window.__SITE__ = { folder: <%- jsonForScript(folder) %> }
  </script>
  <script src="/static/player.js"></script>
 </body>
--- a/views/op/editor.ejs
+++ b/views/op/editor.ejs
@@ -35,7 +35,7 @@

      <div id="videoPanel" class="videoPanel" <% if (!video) { %>hidden<% } %>>
        <video id="editVideo" controls preload="metadata"
-          <% if (video) { %>src="/api/video/<%= video.id %>/file"<% } %>></video>
+          <% if (video) { %>src="/api/video/<%= video.id %>/file?edited=0"<% } %>></video>
        <div class="trimControls">
          <label>
            <span>시작(초)</span>
@@ -55,8 +55,8 @@

  <script>
    window.__EDITOR__ = {
-      folder: <%- JSON.stringify(folder) %>,
-      video: <%- JSON.stringify(video) %>
+      folder: <%- jsonForScript(folder) %>,
+      video: <%- jsonForScript(video) %>
    }
  </script>
  <script src="/static/editor.js"></script>
--- a/views/op/folder.ejs
+++ b/views/op/folder.ejs
@@ -43,7 +43,7 @@
  </div>

  <script>
-    window.__OP__ = { folder: <%- JSON.stringify(folder) %> }
+    window.__OP__ = { folder: <%- jsonForScript(folder) %> }
  </script>
  <script src="/static/folder.js"></script>
 </body>
--- a/views/player.ejs
+++ b/views/player.ejs
@@ -22,7 +22,7 @@
    </section>

    <div class="standalonePlayer">
-      <video controls autoplay preload="metadata" src="/api/video/<%= video.id %>/file<%= video.editedFile ? '?edited=1' : '' %>"></video>
+      <video controls autoplay preload="metadata" src="/api/video/<%= video.id %>/file"></video>
    </div>
  </main>
 </body>