XSS취약점관련 object 태그 허용설정 변경

2015-10-20 11:05:30 +09:00
parent 0535b6d26a
commit 353a0d9409
1 changed files with 3 additions and 2 deletions
--- a/lib/common.lib.php
+++ b/lib/common.lib.php
@ -562,8 +562,9 @@ function html_purifier($html)
    $config = HTMLPurifier_Config::createDefault();
    // data/cache 디렉토리에 CSS, HTML, URI 디렉토리 등을 만든다.
    $config->set('Cache.SerializerPath', G5_DATA_PATH.'/cache');
-    $config->set('HTML.SafeEmbed', true);
-    $config->set('HTML.SafeObject', true);
+    $config->set('HTML.SafeEmbed', false);
+    $config->set('HTML.SafeObject', false);
+    $config->set('Output.FlashCompat', false);
    $config->set('HTML.SafeIframe', true);
    $config->set('URI.SafeIframeRegexp','%^(https?:)?//('.$safeiframe.')%');
    $config->set('Attr.AllowedFrameTargets', array('_blank'));