claude-bot
3f4bcf52d0
P1: views were emitting <%- JSON.stringify(...) %> directly inside <script> tags. A video title like "</script><script>alert(1)</script>" would break out of the script and inject HTML. Added res.locals.jsonForScript() that escapes <, >, &, U+2028, U+2029 before output and switched all three templates (op/editor.ejs, op/folder.ejs, folder.ejs) to use it. P2: The internal popup player in /folder/:name always hit /api/video/:id/file which returned the original. Made the file endpoint default to the edited variant when present and only fall back to original when ?edited=0 is given. Editor page passes ?edited=0 explicitly so the operator always re-trims from the original. Standalone /player/:id no longer needs the ?edited=1 hint. Verified: rendered editor HTML escapes </script> payloads to \u003c/script, default file endpoint serves edited.mp4 while ?edited=0 serves original.mp4. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
51 lines
1.6 KiB
Plaintext
51 lines
1.6 KiB
Plaintext
<!doctype html>
|
|
<html lang="ko">
|
|
<head>
|
|
<meta charset="utf-8" />
|
|
<meta name="viewport" content="width=device-width, initial-scale=1" />
|
|
<title><%= folder %> · 비디오 사이트</title>
|
|
<link rel="stylesheet" href="/static/styles.css" />
|
|
</head>
|
|
<body class="siteBody">
|
|
<header class="publicNav">
|
|
<a class="navBrand" href="/">
|
|
<span class="navLogo">🎬</span>
|
|
<span class="navTitle">비디오 사이트</span>
|
|
</a>
|
|
<a class="secondaryButton" href="/op">관리자</a>
|
|
</header>
|
|
|
|
<main class="pageWrap">
|
|
<section class="hero">
|
|
<a class="muted" href="/">← 폴더 목록</a>
|
|
<h1>📁 <%= folder %></h1>
|
|
</section>
|
|
|
|
<section class="videoGrid">
|
|
<% if (videos.length === 0) { %>
|
|
<p class="muted">이 폴더에 영상이 없습니다.</p>
|
|
<% } %>
|
|
<% videos.forEach(function (v) { %>
|
|
<button type="button" class="videoCard" data-video-id="<%= v.id %>">
|
|
<div class="videoThumb">▶</div>
|
|
<div class="videoTitle"><%= v.title %></div>
|
|
</button>
|
|
<% }) %>
|
|
</section>
|
|
</main>
|
|
|
|
<div class="playerOverlay" id="playerOverlay" hidden>
|
|
<div class="playerModal" role="dialog" aria-modal="true">
|
|
<button type="button" class="playerClose" id="playerClose" aria-label="닫기">✕</button>
|
|
<div class="playerTitle" id="playerTitle"></div>
|
|
<video id="playerVideo" controls preload="metadata"></video>
|
|
</div>
|
|
</div>
|
|
|
|
<script>
|
|
window.__SITE__ = { folder: <%- jsonForScript(folder) %> }
|
|
</script>
|
|
<script src="/static/player.js"></script>
|
|
</body>
|
|
</html>
|