From 316d3542a9deaa827d941fa7eb23e20b9c91e1c0 Mon Sep 17 00:00:00 2001
From: thisgun <thisgun@naver.com>
Date: Thu, 15 May 2025 09:53:28 +0900
Subject: [PATCH] =?UTF-8?q?[KVE-2025-0259]XSS=20=EC=B7=A8=EC=95=BD?=
 =?UTF-8?q?=EC=A0=90=20=EC=88=98=EC=A0=95?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 lib/shop.lib.php                 | 4 ++--
 mobile/shop/lg/returnurl.php     | 4 ++--
 mobile/shop/lg/xpay_approval.php | 2 +-
 plugin/lgxpay/returnurl.php      | 2 +-
 shop/lg/returnurl.php            | 2 +-
 5 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/lib/shop.lib.php b/lib/shop.lib.php
index 561a0c8b6..1b2f4c885 100644
--- a/lib/shop.lib.php
+++ b/lib/shop.lib.php
@@ -2641,10 +2641,10 @@ function make_order_field($data, $exclude)
 
         if(is_array($value)) {
             foreach($value as $k=>$v) {
-                $field .= '<input type="hidden" name="'.$key.'['.$k.']" value="'.get_text($v).'">'.PHP_EOL;
+                $field .= '<input type="hidden" name="'.get_text($key.'['.$k.']').'" value="'.get_text($v).'">'.PHP_EOL;
             }
         } else {
-            $field .= '<input type="hidden" name="'.$key.'" value="'.get_text($value).'">'.PHP_EOL;
+            $field .= '<input type="hidden" name="'.get_text($key).'" value="'.get_text($value).'">'.PHP_EOL;
         }
     }
 
diff --git a/mobile/shop/lg/returnurl.php b/mobile/shop/lg/returnurl.php
index fb7d9195c..a4f25edb7 100644
--- a/mobile/shop/lg/returnurl.php
+++ b/mobile/shop/lg/returnurl.php
@@ -54,8 +54,8 @@ echo '<form name="forderform" method="post" action="'.$order_action_url.'" autoc
 
 echo make_order_field($data, $exclude);
 
-echo '<input type="hidden" name="res_cd" value="'.$LGD_RESPCODE.'">'.PHP_EOL;
-echo '<input type="hidden" name="LGD_PAYKEY" value="'.$LGD_PAYKEY.'">'.PHP_EOL;
+echo '<input type="hidden" name="res_cd" value="'.get_text($LGD_RESPCODE).'">'.PHP_EOL;
+echo '<input type="hidden" name="LGD_PAYKEY" value="'.get_text($LGD_PAYKEY).'">'.PHP_EOL;
 
 echo '</form>'.PHP_EOL;
 ?>
diff --git a/mobile/shop/lg/xpay_approval.php b/mobile/shop/lg/xpay_approval.php
index b6515a061..e46c6e95f 100644
--- a/mobile/shop/lg/xpay_approval.php
+++ b/mobile/shop/lg/xpay_approval.php
@@ -167,7 +167,7 @@ function getFormObject() {
 <form method="post" name="LGD_PAYINFO" id="LGD_PAYINFO" action="">
 <?php
   foreach ($payReqMap as $key => $value) {
-    echo'"<input type="hidden" name="'.$key.'" id="'.$key.'" value="'.$value.'">';
+    echo'"<input type="hidden" name="'.get_text($key).'" id="'.get_text($key).'" value="'.get_text($value).'">';
   }
 ?>
 </form>
diff --git a/plugin/lgxpay/returnurl.php b/plugin/lgxpay/returnurl.php
index a2615ea36..431e46571 100644
--- a/plugin/lgxpay/returnurl.php
+++ b/plugin/lgxpay/returnurl.php
@@ -59,7 +59,7 @@ $payReqMap = $_SESSION['lgd_certify'];//결제 요청시, Session에 저장했
 	  foreach ($payReqMap as $key => $value) {
         $key = htmlspecialchars(strip_tags($key));
         $value = htmlspecialchars(strip_tags($value));
-      echo "<input type='hidden' name='$key' id='$key' value='$value'>";
+      echo "<input type='hidden' name='".get_text($key)."' id='".get_text($key)."' value='".get_text($value)."'>";
     }
 ?>
 </form>
diff --git a/shop/lg/returnurl.php b/shop/lg/returnurl.php
index 57ebee9c8..7789aee6d 100644
--- a/shop/lg/returnurl.php
+++ b/shop/lg/returnurl.php
@@ -46,7 +46,7 @@ $payReqMap = $_SESSION['PAYREQ_MAP'];//결제 요청시, Session에 저장했던
 <form method="post" name="LGD_RETURNINFO" id="LGD_RETURNINFO">
 <?php
 	  foreach ($payReqMap as $key => $value) {
-      echo "<input type='hidden' name='$key' id='$key' value='$value'>";
+      echo "<input type='hidden' name='".get_text($key)."' id='".get_text($key)."' value='".get_text($value)."'>";
     }
 ?>
 </form>