claude-bot
3f4bcf52d0
P1: views were emitting <%- JSON.stringify(...) %> directly inside <script> tags. A video title like "</script><script>alert(1)</script>" would break out of the script and inject HTML. Added res.locals.jsonForScript() that escapes <, >, &, U+2028, U+2029 before output and switched all three templates (op/editor.ejs, op/folder.ejs, folder.ejs) to use it. P2: The internal popup player in /folder/:name always hit /api/video/:id/file which returned the original. Made the file endpoint default to the edited variant when present and only fall back to original when ?edited=0 is given. Editor page passes ?edited=0 explicitly so the operator always re-trims from the original. Standalone /player/:id no longer needs the ?edited=1 hint. Verified: rendered editor HTML escapes </script> payloads to \u003c/script, default file endpoint serves edited.mp4 while ?edited=0 serves original.mp4. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
65 lines
2.8 KiB
Plaintext
65 lines
2.8 KiB
Plaintext
<!doctype html>
|
|
<html lang="ko">
|
|
<head>
|
|
<meta charset="utf-8" />
|
|
<meta name="viewport" content="width=device-width, initial-scale=1" />
|
|
<title>영상 편집 · <%= folder %></title>
|
|
<link rel="stylesheet" href="/static/styles.css" />
|
|
</head>
|
|
<body class="siteBody">
|
|
<header class="editorNav">
|
|
<div class="editorNavLeft">
|
|
<a class="muted" href="/op/folder/<%= encodeURIComponent(folder) %>">← <%= folder %></a>
|
|
<input type="text" id="titleInput" class="titleInput" placeholder="영상 제목" value="<%= video ? video.title : '' %>" />
|
|
</div>
|
|
<div class="editorNavRight">
|
|
<button type="button" class="primaryButton" id="saveBtn">저장</button>
|
|
</div>
|
|
</header>
|
|
|
|
<main class="editorMain">
|
|
<section class="editorStage">
|
|
<div id="dropZone" class="dropZone" <% if (video) { %>hidden<% } %>>
|
|
<p class="dropTitle">영상 추가</p>
|
|
<p class="muted">파일을 드래그&드롭하거나, 아래에서 직접 선택하거나, YouTube 주소를 붙여넣으세요.</p>
|
|
<input type="file" id="fileInput" accept="video/*" />
|
|
<div class="ytRow">
|
|
<input type="text" id="ytUrl" placeholder="https://www.youtube.com/watch?v=..." />
|
|
<button type="button" class="secondaryButton" id="ytProbeBtn">확인</button>
|
|
<button type="button" class="primaryButton" id="ytStartBtn" disabled>가져오기</button>
|
|
</div>
|
|
<p id="probeInfo" class="muted"></p>
|
|
<progress id="downloadProgress" value="0" max="100" hidden></progress>
|
|
<p id="uploadStatus" class="muted"></p>
|
|
</div>
|
|
|
|
<div id="videoPanel" class="videoPanel" <% if (!video) { %>hidden<% } %>>
|
|
<video id="editVideo" controls preload="metadata"
|
|
<% if (video) { %>src="/api/video/<%= video.id %>/file?edited=0"<% } %>></video>
|
|
<div class="trimControls">
|
|
<label>
|
|
<span>시작(초)</span>
|
|
<input type="number" id="startSec" step="0.1" min="0" value="<%= video && video.trim ? video.trim.startSec : 0 %>" />
|
|
<button type="button" class="secondaryButton" data-set-current="start">현재 시점</button>
|
|
</label>
|
|
<label>
|
|
<span>종료(초, 비우면 끝까지)</span>
|
|
<input type="number" id="endSec" step="0.1" min="0" value="<%= video && video.trim && video.trim.endSec != null ? video.trim.endSec : '' %>" />
|
|
<button type="button" class="secondaryButton" data-set-current="end">현재 시점</button>
|
|
</label>
|
|
<p class="muted">저장하면 ffmpeg 가 원본을 보존한 채 편집본을 만듭니다.</p>
|
|
</div>
|
|
</div>
|
|
</section>
|
|
</main>
|
|
|
|
<script>
|
|
window.__EDITOR__ = {
|
|
folder: <%- jsonForScript(folder) %>,
|
|
video: <%- jsonForScript(video) %>
|
|
}
|
|
</script>
|
|
<script src="/static/editor.js"></script>
|
|
</body>
|
|
</html>
|