fix: escape JSON in <script>; popup player picks edited if available
P1: views were emitting <%- JSON.stringify(...) %> directly inside <script> tags. A video title like "</script><script>alert(1)</script>" would break out of the script and inject HTML. Added res.locals.jsonForScript() that escapes <, >, &, U+2028, U+2029 before output and switched all three templates (op/editor.ejs, op/folder.ejs, folder.ejs) to use it. P2: The internal popup player in /folder/:name always hit /api/video/:id/file which returned the original. Made the file endpoint default to the edited variant when present and only fall back to original when ?edited=0 is given. Editor page passes ?edited=0 explicitly so the operator always re-trims from the original. Standalone /player/:id no longer needs the ?edited=1 hint. Verified: rendered editor HTML escapes </script> payloads to \u003c/script, default file endpoint serves edited.mp4 while ?edited=0 serves original.mp4. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
14
src/app.ts
14
src/app.ts
@@ -26,6 +26,20 @@ async function main(): Promise<void> {
|
|||||||
app.use(express.urlencoded({ extended: true }))
|
app.use(express.urlencoded({ extended: true }))
|
||||||
app.use(express.json({ limit: '4mb' }))
|
app.use(express.json({ limit: '4mb' }))
|
||||||
|
|
||||||
|
// EJS 에서 <script> 안에 JSON 을 박을 때 XSS / U+2028 / U+2029 가 깨지는 걸 막는 헬퍼.
|
||||||
|
// 사용 예: <script>window.X = <%- jsonForScript(x) %></script>
|
||||||
|
app.use((_req, res, next) => {
|
||||||
|
res.locals.jsonForScript = (value: unknown): string => {
|
||||||
|
return JSON.stringify(value)
|
||||||
|
.replace(/</g, '\\u003c')
|
||||||
|
.replace(/>/g, '\\u003e')
|
||||||
|
.replace(/&/g, '\\u0026')
|
||||||
|
.replace(/\u2028/g, '\\u2028')
|
||||||
|
.replace(/\u2029/g, '\\u2029')
|
||||||
|
}
|
||||||
|
next()
|
||||||
|
})
|
||||||
|
|
||||||
app.use(session({
|
app.use(session({
|
||||||
secret: process.env.SESSION_SECRET ?? 'make-video-site-dev-secret',
|
secret: process.env.SESSION_SECRET ?? 'make-video-site-dev-secret',
|
||||||
resave: false,
|
resave: false,
|
||||||
|
|||||||
@@ -65,9 +65,12 @@ publicRouter.get('/api/video/:videoId/file', async (req, res, next) => {
|
|||||||
res.status(404).end()
|
res.status(404).end()
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
const wantEdited = req.query.edited === '1' || req.query.edited === 'true'
|
// 기본 동작: 편집본(edited)이 있으면 그것을 재생한다. 원본을 강제로 보고 싶으면 ?edited=0.
|
||||||
|
// 명시적으로 ?edited=1 을 줘도 편집본이 있을 때만 적용된다.
|
||||||
|
const editedParam = typeof req.query.edited === 'string' ? req.query.edited : ''
|
||||||
|
const wantOriginal = editedParam === '0' || editedParam === 'false'
|
||||||
const fileName =
|
const fileName =
|
||||||
wantEdited && found.meta.editedFile ? found.meta.editedFile : found.meta.originalFile
|
!wantOriginal && found.meta.editedFile ? found.meta.editedFile : found.meta.originalFile
|
||||||
if (!fileName || fileName.includes('%(ext)s')) {
|
if (!fileName || fileName.includes('%(ext)s')) {
|
||||||
res.status(404).end()
|
res.status(404).end()
|
||||||
return
|
return
|
||||||
|
|||||||
@@ -43,7 +43,7 @@
|
|||||||
</div>
|
</div>
|
||||||
|
|
||||||
<script>
|
<script>
|
||||||
window.__SITE__ = { folder: <%- JSON.stringify(folder) %> }
|
window.__SITE__ = { folder: <%- jsonForScript(folder) %> }
|
||||||
</script>
|
</script>
|
||||||
<script src="/static/player.js"></script>
|
<script src="/static/player.js"></script>
|
||||||
</body>
|
</body>
|
||||||
|
|||||||
@@ -35,7 +35,7 @@
|
|||||||
|
|
||||||
<div id="videoPanel" class="videoPanel" <% if (!video) { %>hidden<% } %>>
|
<div id="videoPanel" class="videoPanel" <% if (!video) { %>hidden<% } %>>
|
||||||
<video id="editVideo" controls preload="metadata"
|
<video id="editVideo" controls preload="metadata"
|
||||||
<% if (video) { %>src="/api/video/<%= video.id %>/file"<% } %>></video>
|
<% if (video) { %>src="/api/video/<%= video.id %>/file?edited=0"<% } %>></video>
|
||||||
<div class="trimControls">
|
<div class="trimControls">
|
||||||
<label>
|
<label>
|
||||||
<span>시작(초)</span>
|
<span>시작(초)</span>
|
||||||
@@ -55,8 +55,8 @@
|
|||||||
|
|
||||||
<script>
|
<script>
|
||||||
window.__EDITOR__ = {
|
window.__EDITOR__ = {
|
||||||
folder: <%- JSON.stringify(folder) %>,
|
folder: <%- jsonForScript(folder) %>,
|
||||||
video: <%- JSON.stringify(video) %>
|
video: <%- jsonForScript(video) %>
|
||||||
}
|
}
|
||||||
</script>
|
</script>
|
||||||
<script src="/static/editor.js"></script>
|
<script src="/static/editor.js"></script>
|
||||||
|
|||||||
@@ -43,7 +43,7 @@
|
|||||||
</div>
|
</div>
|
||||||
|
|
||||||
<script>
|
<script>
|
||||||
window.__OP__ = { folder: <%- JSON.stringify(folder) %> }
|
window.__OP__ = { folder: <%- jsonForScript(folder) %> }
|
||||||
</script>
|
</script>
|
||||||
<script src="/static/folder.js"></script>
|
<script src="/static/folder.js"></script>
|
||||||
</body>
|
</body>
|
||||||
|
|||||||
@@ -22,7 +22,7 @@
|
|||||||
</section>
|
</section>
|
||||||
|
|
||||||
<div class="standalonePlayer">
|
<div class="standalonePlayer">
|
||||||
<video controls autoplay preload="metadata" src="/api/video/<%= video.id %>/file<%= video.editedFile ? '?edited=1' : '' %>"></video>
|
<video controls autoplay preload="metadata" src="/api/video/<%= video.id %>/file"></video>
|
||||||
</div>
|
</div>
|
||||||
</main>
|
</main>
|
||||||
</body>
|
</body>
|
||||||
|
|||||||
Reference in New Issue
Block a user