XSS 취약점 수정

2025-08-28 13:35:14 +09:00
parent 9510aa9cf1
commit 002e43e5fb
2 changed files with 7 additions and 1 deletions
--- a/lib/common.lib.php
+++ b/lib/common.lib.php
@ -3429,6 +3429,12 @@ function clean_xss_tags($str, $check_entities=0, $is_remove_tags=0, $cur_str_len
        $result = preg_replace('#([^\p{L}]|^)(?:javascript|jar|applescript|vbscript|vbs|wscript|jscript|behavior|mocha|livescript|view-source)\s*:(?:.*?([/\\\;()\'">]|$))#ius',
                '$1$2', $result);

+        // 이벤트 핸들러 속성 제거 (예: onclick=, onerror= 등)
+        $result = preg_replace('/on\w+\s*=\s*(".*?"|\'.*?\'|[^\s>]+)/i', '', $result);
+        
+        // 속성 제거 (CSS 기반 인젝션 차단)
+        $result = preg_replace('/\s*style\s*=\s*(".*?"|\'.*?\'|[^\s>]+)/i', '', $result);
+        
        if((string)$result === (string)$str) break;

        $str = $result;