From 2a8f5f6035455c9454166f79a9c15b077cec6ab4 Mon Sep 17 00:00:00 2001 From: thisgun Date: Fri, 16 Jun 2023 17:20:18 +0900 Subject: [PATCH] =?UTF-8?q?=EC=83=81=ED=92=88=20=EA=B2=80=EC=83=89=20?= =?UTF-8?q?=ED=8E=98=EC=9D=B4=EC=A7=80=20xss=20=EC=B7=A8=EC=95=BD=EC=A0=90?= =?UTF-8?q?=20=EC=88=98=EC=A0=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- lib/common.lib.php | 1 + mobile/shop/search.php | 8 ++++---- shop/search.php | 9 +++++---- 3 files changed, 10 insertions(+), 8 deletions(-) diff --git a/lib/common.lib.php b/lib/common.lib.php index afafb2ba3..24f223609 100644 --- a/lib/common.lib.php +++ b/lib/common.lib.php @@ -23,6 +23,7 @@ function get_paging($write_pages, $cur_page, $total_page, $url, $add="") //$url = preg_replace('#&page=[0-9]*(&page=)$#', '$1', $url); $url = preg_replace('#(&)?page=[0-9]*#', '', $url); $url .= substr($url, -1) === '?' ? 'page=' : '&page='; + $url = preg_replace('|[^\w\-~+_.?#=!&;,/:%@$\|*\'()\[\]\\x80-\\xff]|i', '', clean_xss_tags($url)); $str = ''; if ($cur_page > 1) { diff --git a/mobile/shop/search.php b/mobile/shop/search.php index a3a7c878d..85f609900 100644 --- a/mobile/shop/search.php +++ b/mobile/shop/search.php @@ -17,10 +17,10 @@ if (isset($_GET['qname']) || isset($_GET['qexplan']) || isset($_GET['qid']) || i $search_all = false; $q = utf8_strcut(get_search_string(trim($_GET['q'])), 30, ""); -$qname = isset($_GET['qname']) ? trim($_GET['qname']) : ''; -$qexplan = isset($_GET['qexplan']) ? trim($_GET['qexplan']) : ''; -$qid = isset($_GET['qid']) ? trim($_GET['qid']) : ''; -$qbasic = isset($_GET['qbasic']) ? trim($_GET['qbasic']) : ''; +$qname = isset($_GET['qname']) ? trim(clean_xss_tags($_GET['qname'])) : ''; +$qexplan = isset($_GET['qexplan']) ? trim(clean_xss_tags($_GET['qexplan'])) : ''; +$qid = isset($_GET['qid']) ? trim(clean_xss_tags($_GET['qid'])) : ''; +$qbasic = isset($_GET['qbasic']) ? trim(clean_xss_tags($_GET['qbasic'])) : ''; $qcaid = isset($_GET['qcaid']) ? preg_replace('#[^a-z0-9]#i', '', trim($_GET['qcaid'])) : ''; $qfrom = isset($_GET['qfrom']) ? preg_replace('/[^0-9]/', '', trim($_GET['qfrom'])) : ''; $qto = isset($_GET['qto']) ? preg_replace('/[^0-9]/', '', trim($_GET['qto'])) : ''; diff --git a/shop/search.php b/shop/search.php index c2861eca2..9ea5f6624 100644 --- a/shop/search.php +++ b/shop/search.php @@ -24,13 +24,14 @@ if (isset($_GET['qname']) || isset($_GET['qexplan']) || isset($_GET['qid']) || i $search_all = false; $q = utf8_strcut(get_search_string(trim($_GET['q'])), 30, ""); -$qname = isset($_GET['qname']) ? trim($_GET['qname']) : ''; -$qexplan = isset($_GET['qexplan']) ? trim($_GET['qexplan']) : ''; -$qid = isset($_GET['qid']) ? trim($_GET['qid']) : ''; -$qbasic = isset($_GET['qbasic']) ? trim($_GET['qbasic']) : ''; +$qname = isset($_GET['qname']) ? trim(clean_xss_tags($_GET['qname'])) : ''; +$qexplan = isset($_GET['qexplan']) ? trim(clean_xss_tags($_GET['qexplan'])) : ''; +$qid = isset($_GET['qid']) ? trim(clean_xss_tags($_GET['qid'])) : ''; +$qbasic = isset($_GET['qbasic']) ? trim(clean_xss_tags($_GET['qbasic'])) : ''; $qcaid = isset($_GET['qcaid']) ? preg_replace('#[^a-z0-9]#i', '', trim($_GET['qcaid'])) : ''; $qfrom = isset($_GET['qfrom']) ? preg_replace('/[^0-9]/', '', trim($_GET['qfrom'])) : ''; $qto = isset($_GET['qto']) ? preg_replace('/[^0-9]/', '', trim($_GET['qto'])) : ''; + if (isset($_GET['qsort'])) { $qsort = trim($_GET['qsort']); $qsort = preg_replace("/[\<\>\'\"\\\'\\\"\%\=\(\)\s]/", "", $qsort);