From 2a5e9ad7fb5944445361d54bb1e50a76956e1a8a Mon Sep 17 00:00:00 2001
From: chicpro <chicpro@gmail.com>
Date: Thu, 12 Jun 2014 10:20:06 +0900
Subject: [PATCH] =?UTF-8?q?XSS=20=EA=B4=80=EB=A0=A8=20=EB=8C=80=EC=9D=91?=
 =?UTF-8?q?=20get=5Ftext=20=ED=95=A8=EC=88=98=20=EC=B2=98=EB=A6=AC=20?=
 =?UTF-8?q?=EC=B6=94=EA=B0=80?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 adm/shop_admin/orderlist.php        |  4 ++--
 adm/shop_admin/orderprintresult.php | 20 ++++++++++----------
 mobile/shop/orderformupdate.php     |  1 +
 mobile/shop/orderinquiryview.php    | 22 +++++++++++-----------
 mobile/shop/personalpayresult.php   |  4 ++--
 shop/orderform.php                  |  2 +-
 shop/orderformupdate.php            |  1 +
 shop/orderinquiryview.php           | 22 +++++++++++-----------
 shop/personalpayresult.php          |  4 ++--
 9 files changed, 41 insertions(+), 39 deletions(-)

diff --git a/adm/shop_admin/orderlist.php b/adm/shop_admin/orderlist.php
index 8a7bcceaa..37840b106 100644
--- a/adm/shop_admin/orderlist.php
+++ b/adm/shop_admin/orderlist.php
@@ -346,8 +346,8 @@ if(!sql_query(" select mb_id from {$g5['g5_shop_order_delete_table']} limit 1 ",
             <?php echo $od_paytype; ?>
         </td>
         <td headers="th_odrer" class="td_name"><?php echo $mb_nick; ?></td>
-        <td headers="th_odrertel" class="td_tel"><?php echo $row['od_tel']; ?></td>
-        <td headers="th_recvr" class="td_name"><a href="<?php echo $_SERVER['PHP_SELF']; ?>?sort1=<?php echo $sort1; ?>&amp;sort2=<?php echo $sort2; ?>&amp;sel_field=od_b_name&amp;search=<?php echo $row['od_b_name']; ?>"><?php echo $row['od_b_name']; ?></a></td>
+        <td headers="th_odrertel" class="td_tel"><?php echo get_text($row['od_tel']); ?></td>
+        <td headers="th_recvr" class="td_name"><a href="<?php echo $_SERVER['PHP_SELF']; ?>?sort1=<?php echo $sort1; ?>&amp;sort2=<?php echo $sort2; ?>&amp;sel_field=od_b_name&amp;search=<?php echo get_text($row['od_b_name']); ?>"><?php echo get_text($row['od_b_name']); ?></a></td>
         <td rowspan="3" class="td_numsum"><?php echo number_format($row['od_cart_price'] + $row['od_send_cost'] + $row['od_send_cost2']); ?></td>
         <td rowspan="3" class="td_numincome"><?php echo number_format($row['od_receipt_price']); ?></td>
         <td rowspan="3" class="td_numcancel<?php echo $td_color; ?>"><?php echo number_format($row['od_cancel_price']); ?></td>
diff --git a/adm/shop_admin/orderprintresult.php b/adm/shop_admin/orderprintresult.php
index 1cdbb9983..77814bfa6 100644
--- a/adm/shop_admin/orderprintresult.php
+++ b/adm/shop_admin/orderprintresult.php
@@ -257,33 +257,33 @@ if (mysql_num_rows($result) == 0)
         if ($row1['od_name'] == $row1['od_b_name'] && $row1['od_addr'] == $row1['od_b_addr'] && $row1['od_tel'] == $row1['od_b_tel'] &&  $row1['od_hp'] == $row1['od_b_hp'] && $row1['od_hp'] != "&nbsp;") $samesamesame = 1;
         else $samesamesame = '';
 
-        $od_memo = ($row1['od_memo']) ? stripslashes($row1['od_memo']) : '';
-        $od_shop_memo = ($row1['od_shop_memo']) ? stripslashes($row1['od_shop_memo']) : '';
+        $od_memo = ($row1['od_memo']) ? get_text(stripslashes($row1['od_memo'])) : '';
+        $od_shop_memo = ($row1['od_shop_memo']) ? get_text(stripslashes($row1['od_shop_memo'])) : '';
     ?>
     <!-- 반복시작 - 지운아빠 2013-04-18 -->
     <div class="sodr_print_pop_list">
         <h2>주문번호 <?php echo $row1['od_id']; ?></h2>
-        <h3>보내는 사람 : <?php echo $row1['od_name']; ?></h3>
+        <h3>보내는 사람 : <?php echo get_text($row1['od_name']); ?></h3>
 
         <dl>
             <dt>주소</dt>
-            <dd><?php echo $row1['od_addr']; ?></dd>
+            <dd><?php echo get_text($row1['od_addr']); ?></dd>
             <dt>휴대폰</dt>
-            <dd><?php echo $row1['od_hp']; ?></dd>
+            <dd><?php echo get_text($row1['od_hp']); ?></dd>
             <dt>전화번호</dt>
-            <dd><?php echo $row1['od_tel']; ?></dd>
+            <dd><?php echo get_text($row1['od_tel']); ?></dd>
         </dl>
         <?php if ($samesamesame) { ?>
         <p class="sodr_print_pop_same">보내는 사람과 받는 사람이 동일합니다.</p>
         <?php } else { ?>
-        <h3>받는 사람 : <?php echo $row1['od_b_name']; ?></h3>
+        <h3>받는 사람 : <?php echo get_text($row1['od_b_name']); ?></h3>
         <dl>
             <dt>주소</dt>
-            <dd><?php echo $row1['od_b_addr']; ?></dd>
+            <dd><?php echo get_text($row1['od_b_addr']); ?></dd>
             <dt>휴대폰</dt>
-            <dd><?php echo $row1['od_b_hp']; ?></dd>
+            <dd><?php echo get_text($row1['od_b_hp']); ?></dd>
             <dt>전화번호</dt>
-            <dd><?php echo $row1['od_b_tel']; ?></dd>
+            <dd><?php echo get_text($row1['od_b_tel']); ?></dd>
         </dl>
         <?php } ?>
 
diff --git a/mobile/shop/orderformupdate.php b/mobile/shop/orderformupdate.php
index e63a8ebc6..ea1d740b6 100644
--- a/mobile/shop/orderformupdate.php
+++ b/mobile/shop/orderformupdate.php
@@ -410,6 +410,7 @@ if($default['de_tax_flag_use']) {
 }
 
 $od_pg = $default['de_pg_service'];
+$od_email = get_email_address($od_email);
 
 // 주문서에 입력
 $sql = " insert {$g5['g5_shop_order_table']}
diff --git a/mobile/shop/orderinquiryview.php b/mobile/shop/orderinquiryview.php
index 86e8bd2bd..828d6ef18 100644
--- a/mobile/shop/orderinquiryview.php
+++ b/mobile/shop/orderinquiryview.php
@@ -292,11 +292,11 @@ if($od['od_pg'] == 'lg') {
                 ?>
                 <tr>
                     <th scope="row">입금자명</th>
-                    <td><?php echo $od['od_deposit_name']; ?></td>
+                    <td><?php echo get_text($od['od_deposit_name']); ?></td>
                 </tr>
                 <tr>
                     <th scope="row">입금계좌</th>
-                    <td><?php echo $od['od_bank_account']; ?></td>
+                    <td><?php echo get_text($od['od_bank_account']); ?></td>
                 </tr>
                 <?php
                 }
@@ -432,23 +432,23 @@ if($od['od_pg'] == 'lg') {
                 <tbody>
                 <tr>
                     <th scope="row">이 름</th>
-                    <td><?php echo $od['od_name']; ?></td>
+                    <td><?php echo get_text($od['od_name']); ?></td>
                 </tr>
                 <tr>
                     <th scope="row">전화번호</th>
-                    <td><?php echo $od['od_tel']; ?></td>
+                    <td><?php echo get_text($od['od_tel']); ?></td>
                 </tr>
                 <tr>
                     <th scope="row">핸드폰</th>
-                    <td><?php echo $od['od_hp']; ?></td>
+                    <td><?php echo get_text($od['od_hp']); ?></td>
                 </tr>
                 <tr>
                     <th scope="row">주 소</th>
-                    <td><?php echo sprintf("(%s-%s)", $od['od_zip1'], $od['od_zip2']).' '.print_address($od['od_addr1'], $od['od_addr2'], $od['od_addr3']); ?></td>
+                    <td><?php echo get_text(sprintf("(%s-%s)", $od['od_zip1'], $od['od_zip2']).' '.print_address($od['od_addr1'], $od['od_addr2'], $od['od_addr3'])); ?></td>
                 </tr>
                 <tr>
                     <th scope="row">E-mail</th>
-                    <td><?php echo $od['od_email']; ?></td>
+                    <td><?php echo get_text($od['od_email']); ?></td>
                 </tr>
                 </tbody>
                 </table>
@@ -468,19 +468,19 @@ if($od['od_pg'] == 'lg') {
                 <tbody>
                 <tr>
                     <th scope="row">이 름</th>
-                    <td><?php echo $od['od_b_name']; ?></td>
+                    <td><?php echo get_text($od['od_b_name']); ?></td>
                 </tr>
                 <tr>
                     <th scope="row">전화번호</th>
-                    <td><?php echo $od['od_b_tel']; ?></td>
+                    <td><?php echo get_text($od['od_b_tel']); ?></td>
                 </tr>
                 <tr>
                     <th scope="row">핸드폰</th>
-                    <td><?php echo $od['od_b_hp']; ?></td>
+                    <td><?php echo get_text($od['od_b_hp']); ?></td>
                 </tr>
                 <tr>
                     <th scope="row">주 소</th>
-                    <td><?php echo sprintf("(%s-%s)", $od['od_b_zip1'], $od['od_b_zip2']).' '.print_address($od['od_b_addr1'], $od['od_b_addr2'], $od['od_b_addr3']); ?></td>
+                    <td><?php echo get_text(sprintf("(%s-%s)", $od['od_b_zip1'], $od['od_b_zip2']).' '.print_address($od['od_b_addr1'], $od['od_b_addr2'], $od['od_b_addr3'])); ?></td>
                 </tr>
                 <?php
                 // 희망배송일을 사용한다면
diff --git a/mobile/shop/personalpayresult.php b/mobile/shop/personalpayresult.php
index 8bc8514d1..739366066 100644
--- a/mobile/shop/personalpayresult.php
+++ b/mobile/shop/personalpayresult.php
@@ -117,11 +117,11 @@ if($od['od_pg'] == 'lg') {
                 ?>
                 <tr>
                     <th scope="row">입금자명</th>
-                    <td><?php echo $pp['pp_deposit_name']; ?></td>
+                    <td><?php echo get_text($pp['pp_deposit_name']); ?></td>
                 </tr>
                 <tr>
                     <th scope="row">입금계좌</th>
-                    <td><?php echo $pp['pp_bank_account']; ?></td>
+                    <td><?php echo get_text($pp['pp_bank_account']); ?></td>
                 </tr>
                 <?php
                 }
diff --git a/shop/orderform.php b/shop/orderform.php
index 8290672ce..2c0e6cdae 100644
--- a/shop/orderform.php
+++ b/shop/orderform.php
@@ -20,7 +20,7 @@ if (get_cart_count($tmp_cart_id) == 0)
 
 $g5['title'] = '주문서 작성';
 
-// LG Xpay 전자결제를 사용할 때만 실행
+// 전자결제를 사용할 때만 실행
 if($default['de_iche_use'] || $default['de_vbank_use'] || $default['de_hp_use'] || $default['de_card_use']) {
     switch($default['de_pg_service']) {
         case 'lg':
diff --git a/shop/orderformupdate.php b/shop/orderformupdate.php
index 322decb6b..8ac5620dd 100644
--- a/shop/orderformupdate.php
+++ b/shop/orderformupdate.php
@@ -404,6 +404,7 @@ if($default['de_tax_flag_use']) {
 }
 
 $od_pg = $default['de_pg_service'];
+$od_email = get_email_address($od_email);
 
 // 주문서에 입력
 $sql = " insert {$g5['g5_shop_order_table']}
diff --git a/shop/orderinquiryview.php b/shop/orderinquiryview.php
index a1c1b8452..e36c9db9e 100644
--- a/shop/orderinquiryview.php
+++ b/shop/orderinquiryview.php
@@ -309,11 +309,11 @@ if($od['od_pg'] == 'lg') {
                 ?>
                 <tr>
                     <th scope="row">입금자명</th>
-                    <td><?php echo $od['od_deposit_name']; ?></td>
+                    <td><?php echo get_text($od['od_deposit_name']); ?></td>
                 </tr>
                 <tr>
                     <th scope="row">입금계좌</th>
-                    <td><?php echo $od['od_bank_account']; ?></td>
+                    <td><?php echo get_text($od['od_bank_account']); ?></td>
                 </tr>
                 <?php
                 }
@@ -449,23 +449,23 @@ if($od['od_pg'] == 'lg') {
                 <tbody>
                 <tr>
                     <th scope="row">이 름</th>
-                    <td><?php echo $od['od_name']; ?></td>
+                    <td><?php echo get_text($od['od_name']); ?></td>
                 </tr>
                 <tr>
                     <th scope="row">전화번호</th>
-                    <td><?php echo $od['od_tel']; ?></td>
+                    <td><?php echo get_text($od['od_tel']); ?></td>
                 </tr>
                 <tr>
                     <th scope="row">핸드폰</th>
-                    <td><?php echo $od['od_hp']; ?></td>
+                    <td><?php echo get_text($od['od_hp']); ?></td>
                 </tr>
                 <tr>
                     <th scope="row">주 소</th>
-                    <td><?php echo sprintf("(%s-%s)", $od['od_zip1'], $od['od_zip2']).' '.print_address($od['od_addr1'], $od['od_addr2'], $od['od_addr3']); ?></td>
+                    <td><?php echo get_text(sprintf("(%s-%s)", $od['od_zip1'], $od['od_zip2']).' '.print_address($od['od_addr1'], $od['od_addr2'], $od['od_addr3'])); ?></td>
                 </tr>
                 <tr>
                     <th scope="row">E-mail</th>
-                    <td><?php echo $od['od_email']; ?></td>
+                    <td><?php echo get_text($od['od_email']); ?></td>
                 </tr>
                 </tbody>
                 </table>
@@ -484,19 +484,19 @@ if($od['od_pg'] == 'lg') {
                 <tbody>
                 <tr>
                     <th scope="row">이 름</th>
-                    <td><?php echo $od['od_b_name']; ?></td>
+                    <td><?php echo get_text($od['od_b_name']); ?></td>
                 </tr>
                 <tr>
                     <th scope="row">전화번호</th>
-                    <td><?php echo $od['od_b_tel']; ?></td>
+                    <td><?php echo get_text($od['od_b_tel']); ?></td>
                 </tr>
                 <tr>
                     <th scope="row">핸드폰</th>
-                    <td><?php echo $od['od_b_hp']; ?></td>
+                    <td><?php echo get_text($od['od_b_hp']); ?></td>
                 </tr>
                 <tr>
                     <th scope="row">주 소</th>
-                    <td><?php echo sprintf("(%s-%s)", $od['od_b_zip1'], $od['od_b_zip2']).' '.print_address($od['od_b_addr1'], $od['od_b_addr2'], $od['od_b_addr3']); ?></td>
+                    <td><?php echo get_text(sprintf("(%s-%s)", $od['od_b_zip1'], $od['od_b_zip2']).' '.print_address($od['od_b_addr1'], $od['od_b_addr2'], $od['od_b_addr3'])); ?></td>
                 </tr>
                 <?php
                 // 희망배송일을 사용한다면
diff --git a/shop/personalpayresult.php b/shop/personalpayresult.php
index 9cd6f057a..f9ccc7329 100644
--- a/shop/personalpayresult.php
+++ b/shop/personalpayresult.php
@@ -123,11 +123,11 @@ if($od['od_pg'] == 'lg') {
                 ?>
                 <tr>
                     <th scope="row">입금자명</th>
-                    <td><?php echo $pp['pp_deposit_name']; ?></td>
+                    <td><?php echo get_text($pp['pp_deposit_name']); ?></td>
                 </tr>
                 <tr>
                     <th scope="row">입금계좌</th>
-                    <td><?php echo $pp['pp_bank_account']; ?></td>
+                    <td><?php echo get_text($pp['pp_bank_account']); ?></td>
                 </tr>
                 <?php
                 }