From 45244de78ee36e93668285561c99dac22591cdcb Mon Sep 17 00:00:00 2001
From: chicpro <chicpro@sir.co.kr>
Date: Thu, 9 Jul 2015 13:46:17 +0900
Subject: [PATCH] =?UTF-8?q?XSS=20=EC=B7=A8=EC=95=BD=EC=A0=90=20=EC=88=98?=
 =?UTF-8?q?=EC=A0=95?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 lib/common.lib.php                      | 8 ++------
 mobile/skin/member/basic/login.skin.php | 2 +-
 skin/member/basic/login.skin.php        | 2 +-
 3 files changed, 4 insertions(+), 8 deletions(-)

diff --git a/lib/common.lib.php b/lib/common.lib.php
index 53eb1f1df..091ba8cb4 100644
--- a/lib/common.lib.php
+++ b/lib/common.lib.php
@@ -2367,12 +2367,8 @@ function hyphen_hp_number($hp)
 function login_url($url='')
 {
     if (!$url) $url = G5_URL;
-    /*
-    $p = parse_url($url);
-    echo urlencode($_SERVER['REQUEST_URI']);
-    return $url.urldecode(preg_replace("/^".urlencode($p['path'])."/", "", urlencode($_SERVER['REQUEST_URI'])));
-    */
-    return $url;
+
+    return urlencode(clean_xss_tags($url));
 }
 
 
diff --git a/mobile/skin/member/basic/login.skin.php b/mobile/skin/member/basic/login.skin.php
index 3274b7dd8..3d704f392 100644
--- a/mobile/skin/member/basic/login.skin.php
+++ b/mobile/skin/member/basic/login.skin.php
@@ -9,7 +9,7 @@ add_stylesheet('<link rel="stylesheet" href="'.$member_skin_url.'/style.css">',
     <h1><?php echo $g5['title'] ?></h1>
 
     <form name="flogin" action="<?php echo $login_action_url ?>" onsubmit="return flogin_submit(this);" method="post">
-    <input type="hidden" name="url" value='<?php echo $login_url ?>'>
+    <input type="hidden" name="url" value="<?php echo $login_url ?>">
 
     <div id="login_frm">
         <label for="login_id" class="sound_only">아이디<strong class="sound_only"> 필수</strong></label>
diff --git a/skin/member/basic/login.skin.php b/skin/member/basic/login.skin.php
index 18771e54c..86772c70d 100644
--- a/skin/member/basic/login.skin.php
+++ b/skin/member/basic/login.skin.php
@@ -10,7 +10,7 @@ add_stylesheet('<link rel="stylesheet" href="'.$member_skin_url.'/style.css">',
     <h1><?php echo $g5['title'] ?></h1>
 
     <form name="flogin" action="<?php echo $login_action_url ?>" onsubmit="return flogin_submit(this);" method="post">
-    <input type="hidden" name="url" value='<?php echo $login_url ?>'>
+    <input type="hidden" name="url" value="<?php echo $login_url ?>">
 
     <fieldset id="login_fs">
         <legend>회원로그인</legend>