fix: escape JSON in <script>; popup player picks edited if available

P1: views were emitting <%- JSON.stringify(...) %> directly inside <script> tags. A video title like "</script><script>alert(1)</script>" would break out of the script and inject HTML. Added res.locals.jsonForScript() that escapes <, >, &, U+2028, U+2029 before output and switched all three templates (op/editor.ejs, op/folder.ejs, folder.ejs) to use it. P2: The internal popup player in /folder/:name always hit /api/video/:id/file which returned the original. Made the file endpoint default to the edited variant when present and only fall back to original when ?edited=0 is given. Editor page passes ?edited=0 explicitly so the operator always re-trims from the original. Standalone /player/:id no longer needs the ?edited=1 hint. Verified: rendered editor HTML escapes </script> payloads to \u003c/script, default file endpoint serves edited.mp4 while ?edited=0 serves original.mp4. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-15 16:49:03 +09:00
parent 0db04cf5cd
commit 3f4bcf52d0
6 changed files with 25 additions and 8 deletions
--- a/views/player.ejs
+++ b/views/player.ejs
@@ -22,7 +22,7 @@
    </section>

    <div class="standalonePlayer">
-      <video controls autoplay preload="metadata" src="/api/video/<%= video.id %>/file<%= video.editedFile ? '?edited=1' : '' %>"></video>
+      <video controls autoplay preload="metadata" src="/api/video/<%= video.id %>/file"></video>
    </div>
  </main>
 </body>