From 633ff46596763ed46328f3cc4a63318b075ce2f3 Mon Sep 17 00:00:00 2001
From: thisgun <thisgun@naver.com>
Date: Fri, 12 Sep 2025 10:50:08 +0900
Subject: [PATCH] =?UTF-8?q?=EC=A0=84=EC=B2=B4=EA=B2=80=EC=83=89=EC=8B=9C?=
 =?UTF-8?q?=20=ED=8E=98=EC=9D=B4=EC=A7=95=20=EB=90=98=EC=A7=80=20=EC=95=8A?=
 =?UTF-8?q?=EB=8A=94=20=EC=98=A4=EB=A5=98=20=EC=88=98=EC=A0=95?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 lib/common.lib.php | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/lib/common.lib.php b/lib/common.lib.php
index ddb8bbace..291af89f3 100644
--- a/lib/common.lib.php
+++ b/lib/common.lib.php
@@ -3429,11 +3429,8 @@ function clean_xss_tags($str, $check_entities=0, $is_remove_tags=0, $cur_str_len
         $result = preg_replace('#([^\p{L}]|^)(?:javascript|jar|applescript|vbscript|vbs|wscript|jscript|behavior|mocha|livescript|view-source)\s*:(?:.*?([/\\\;()\'">]|$))#ius',
                 '$1$2', $result);
 
-        // 이벤트 핸들러 속성 제거 (예: onclick=, onerror= 등)
-        $result = preg_replace('/on\w+\s*=\s*(".*?"|\'.*?\'|[^\s>]+)/i', '', $result);
-        
-        // 속성 제거 (CSS 기반 인젝션 차단)
-        $result = preg_replace('/\s*style\s*=\s*(".*?"|\'.*?\'|[^\s>]+)/i', '', $result);
+        // 따옴표 + 속성으로 강제 진입 차단 (예: "style=..., 'onerror=...)
+        $result = preg_replace('/["\']\s*(?:on\w+|style)\s*=\s*/i', '', $result);
         
         if((string)$result === (string)$str) break;