claude-bot
3f4bcf52d0
P1: views were emitting <%- JSON.stringify(...) %> directly inside <script> tags. A video title like "</script><script>alert(1)</script>" would break out of the script and inject HTML. Added res.locals.jsonForScript() that escapes <, >, &, U+2028, U+2029 before output and switched all three templates (op/editor.ejs, op/folder.ejs, folder.ejs) to use it. P2: The internal popup player in /folder/:name always hit /api/video/:id/file which returned the original. Made the file endpoint default to the edited variant when present and only fall back to original when ?edited=0 is given. Editor page passes ?edited=0 explicitly so the operator always re-trims from the original. Standalone /player/:id no longer needs the ?edited=1 hint. Verified: rendered editor HTML escapes </script> payloads to \u003c/script, default file endpoint serves edited.mp4 while ?edited=0 serves original.mp4. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
51 lines
1.7 KiB
Plaintext
51 lines
1.7 KiB
Plaintext
<!doctype html>
|
|
<html lang="ko">
|
|
<head>
|
|
<meta charset="utf-8" />
|
|
<meta name="viewport" content="width=device-width, initial-scale=1" />
|
|
<title>관리자 · <%= folder %></title>
|
|
<link rel="stylesheet" href="/static/styles.css" />
|
|
</head>
|
|
<body class="siteBody">
|
|
<%- include('../partials/navbar', { userId }) %>
|
|
|
|
<main class="pageWrap">
|
|
<section class="dashboardHeader">
|
|
<div>
|
|
<a class="muted" href="/op/dashboard">← 폴더 목록</a>
|
|
<h1>📁 <%= folder %></h1>
|
|
</div>
|
|
<div class="dashboardActions">
|
|
<a class="primaryButton" href="/op/folder/<%= encodeURIComponent(folder) %>/video/editor">영상 추가</a>
|
|
</div>
|
|
</section>
|
|
|
|
<section class="videoGrid" id="videoGrid">
|
|
<% if (videos.length === 0) { %>
|
|
<p class="muted">이 폴더에 영상이 없습니다. 우측 상단에서 영상을 추가하세요.</p>
|
|
<% } %>
|
|
<% videos.forEach(function (v) { %>
|
|
<div class="videoCard adminVideo" data-id="<%= v.id %>" data-title="<%= v.title %>">
|
|
<div class="videoThumb">▶</div>
|
|
<div class="videoTitle"><%= v.title %></div>
|
|
<% if (v.sourceType === 'youtube' && !v.originalFile.includes('original.') === false) { %>
|
|
<div class="muted">YouTube</div>
|
|
<% } %>
|
|
</div>
|
|
<% }) %>
|
|
</section>
|
|
</main>
|
|
|
|
<div class="ctxMenu" id="ctxMenu" hidden>
|
|
<button type="button" data-action="edit">수정</button>
|
|
<button type="button" data-action="rename">이름 변경</button>
|
|
<button type="button" data-action="delete" class="dangerLink">삭제</button>
|
|
</div>
|
|
|
|
<script>
|
|
window.__OP__ = { folder: <%- jsonForScript(folder) %> }
|
|
</script>
|
|
<script src="/static/folder.js"></script>
|
|
</body>
|
|
</html>
|