From 474fc8f9a90feb4750ae4aac90d02f799d0a6fab Mon Sep 17 00:00:00 2001 From: thisgun Date: Wed, 27 Mar 2024 11:22:25 +0900 Subject: [PATCH] =?UTF-8?q?=EA=B4=80=EB=A6=AC=EC=9E=90=20xss=20=EC=B2=B4?= =?UTF-8?q?=ED=81=AC=20alert=EC=9D=B4=20=EB=84=88=EB=AC=B4=20=EC=9E=90?= =?UTF-8?q?=EC=A3=BC=20=EB=B0=9C=EC=83=9D=ED=95=98=EB=8A=94=20=EB=AC=B8?= =?UTF-8?q?=EC=A0=9C=20#301=20=EC=88=98=EC=A0=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- adm/admin.lib.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/adm/admin.lib.php b/adm/admin.lib.php index 8bc521e2d..edbf96fb5 100644 --- a/adm/admin.lib.php +++ b/adm/admin.lib.php @@ -554,7 +554,7 @@ function admin_check_xss_params($params) if (is_array($value)) { admin_check_xss_params($value); - } else if ((preg_match('/<\s?[^\>]*\/?\s?>/i', $value) && (preg_match('/script.*?\/script/ius', $value) || preg_match('/[onload|onerror]=.*/ius', $value))) || preg_match('/^(?=.*token\()(?=.*xmlhttprequest\()(?=.*send\().*$/im', $value) || (preg_match('/[onload|onerror|focus]=.*/ius', $value) && preg_match('/(eval|expression|exec|prompt)(\s*)\((.*)\)/ius', $value))) { + } else if ((preg_match('/<\s?[^\>]*\/?\s?>/i', $value) && (preg_match('/script.*?\/script/ius', $value) || preg_match('/(onload|onerror)=.*/ius', $value))) || preg_match('/^(?=.*token\()(?=.*xmlhttprequest\()(?=.*send\().*$/im', $value) || (preg_match('/(onload|onerror|focus)=.*/ius', $value) && preg_match('/(eval|expression|exec|prompt)(\s*)\((.*)\)/ius', $value))) { alert('요청 쿼리에 잘못된 스크립트문장이 있습니다.\\nXSS 공격일수도 있습니다.', G5_URL); die(); }