firstgarden/firstgarden-web-gnu
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Activity

XSS 취약점 수정

Browse Source
This commit is contained in:
thisgun
2025-08-28 13:35:14 +09:00
parent 9510aa9cf1
commit 002e43e5fb
2 changed files with 7 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
bbs/view_comment.php
View File

@ -7,7 +7,7 @@ if ($is_guest && $board['bo_comment_level'] < 2) {
$captcha_html = captcha_html('_comment');
}
$c_id = isset($_GET['c_id']) ? clean_xss_tags($_GET['c_id'], 1, 1) : '';
$c_id = isset($_GET['c_id']) ? preg_replace('/[\'",]/', '', clean_xss_tags($_GET['c_id'], 1, 1)) : '';
$c_wr_content = '';
@include_once($board_skin_path.'/view_comment.head.skin.php');

6
lib/common.lib.php
View File

@ -3429,6 +3429,12 @@ function clean_xss_tags($str, $check_entities=0, $is_remove_tags=0, $cur_str_len
$result = preg_replace('#([^\p{L}]|^)(?:javascript|jar|applescript|vbscript|vbs|wscript|jscript|behavior|mocha|livescript|view-source)\s*:(?:.*?([/\\\;()\'">]|$))#ius',
'$1$2', $result);
// 이벤트 핸들러 속성 제거 (예: onclick=, onerror= 등)
$result = preg_replace('/on\w+\s*=\s*(".*?"|\'.*?\'|[^\s>]+)/i', '', $result);
// 속성 제거 (CSS 기반 인젝션 차단)
$result = preg_replace('/\s*style\s*=\s*(".*?"|\'.*?\'|[^\s>]+)/i', '', $result);
if((string)$result === (string)$str) break;
$str = $result;