claude-bot
3f4bcf52d0
P1: views were emitting <%- JSON.stringify(...) %> directly inside <script> tags. A video title like "</script><script>alert(1)</script>" would break out of the script and inject HTML. Added res.locals.jsonForScript() that escapes <, >, &, U+2028, U+2029 before output and switched all three templates (op/editor.ejs, op/folder.ejs, folder.ejs) to use it. P2: The internal popup player in /folder/:name always hit /api/video/:id/file which returned the original. Made the file endpoint default to the edited variant when present and only fall back to original when ?edited=0 is given. Editor page passes ?edited=0 explicitly so the operator always re-trims from the original. Standalone /player/:id no longer needs the ?edited=1 hint. Verified: rendered editor HTML escapes </script> payloads to \u003c/script, default file endpoint serves edited.mp4 while ?edited=0 serves original.mp4. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
98 lines
2.8 KiB
TypeScript
98 lines
2.8 KiB
TypeScript
import { Router } from 'express'
|
|
import path from 'node:path'
|
|
import { promises as fs } from 'node:fs'
|
|
import {
|
|
findVideoAnywhere,
|
|
folderPath,
|
|
listFolders,
|
|
listVideos,
|
|
loadVideoMeta,
|
|
sanitizeFolderName,
|
|
videoDir,
|
|
videoFileFsPath
|
|
} from '../store.js'
|
|
|
|
export const publicRouter = Router()
|
|
|
|
publicRouter.get('/', async (_req, res, next) => {
|
|
try {
|
|
const folders = await listFolders()
|
|
res.render('index', { folders })
|
|
} catch (err) {
|
|
next(err)
|
|
}
|
|
})
|
|
|
|
publicRouter.get('/folder/:name', async (req, res, next) => {
|
|
try {
|
|
const safe = sanitizeFolderName(req.params.name)
|
|
if (!safe) {
|
|
res.status(404).send('폴더를 찾을 수 없습니다.')
|
|
return
|
|
}
|
|
// 존재 확인
|
|
try {
|
|
await fs.access(folderPath(safe))
|
|
} catch {
|
|
res.status(404).send('폴더를 찾을 수 없습니다.')
|
|
return
|
|
}
|
|
const videos = await listVideos(safe)
|
|
res.render('folder', { folder: safe, videos, isAdmin: false })
|
|
} catch (err) {
|
|
next(err)
|
|
}
|
|
})
|
|
|
|
publicRouter.get('/player/:videoId', async (req, res, next) => {
|
|
try {
|
|
const found = await findVideoAnywhere(req.params.videoId)
|
|
if (!found) {
|
|
res.status(404).send('영상을 찾을 수 없습니다.')
|
|
return
|
|
}
|
|
res.render('player', { folder: found.folder, video: found.meta })
|
|
} catch (err) {
|
|
next(err)
|
|
}
|
|
})
|
|
|
|
/** 영상 파일 스트리밍. ?edited=1 이면 편집본을, 아니면 원본을 보낸다. */
|
|
publicRouter.get('/api/video/:videoId/file', async (req, res, next) => {
|
|
try {
|
|
const found = await findVideoAnywhere(req.params.videoId)
|
|
if (!found) {
|
|
res.status(404).end()
|
|
return
|
|
}
|
|
// 기본 동작: 편집본(edited)이 있으면 그것을 재생한다. 원본을 강제로 보고 싶으면 ?edited=0.
|
|
// 명시적으로 ?edited=1 을 줘도 편집본이 있을 때만 적용된다.
|
|
const editedParam = typeof req.query.edited === 'string' ? req.query.edited : ''
|
|
const wantOriginal = editedParam === '0' || editedParam === 'false'
|
|
const fileName =
|
|
!wantOriginal && found.meta.editedFile ? found.meta.editedFile : found.meta.originalFile
|
|
if (!fileName || fileName.includes('%(ext)s')) {
|
|
res.status(404).end()
|
|
return
|
|
}
|
|
const fsPath = videoFileFsPath(found.folder, found.meta.id, fileName)
|
|
res.sendFile(fsPath)
|
|
} catch (err) {
|
|
next(err)
|
|
}
|
|
})
|
|
|
|
/** 비디오 메타 조회 (플레이어/관리자 양쪽에서 사용) */
|
|
publicRouter.get('/api/video/:videoId', async (req, res, next) => {
|
|
try {
|
|
const found = await findVideoAnywhere(req.params.videoId)
|
|
if (!found) {
|
|
res.status(404).json({ ok: false, message: '영상을 찾을 수 없습니다.' })
|
|
return
|
|
}
|
|
res.json({ ok: true, folder: found.folder, video: found.meta })
|
|
} catch (err) {
|
|
next(err)
|
|
}
|
|
})
|