From 6a3c2b1002ba0ba9d2f6fdc87a32cc6a3feb97c5 Mon Sep 17 00:00:00 2001
From: thisgun <thisgun@naver.com>
Date: Wed, 27 Aug 2025 17:58:06 +0900
Subject: [PATCH] =?UTF-8?q?[KVE-2025-0464]=EC=98=81=EC=B9=B4=ED=8A=B8=20XS?=
 =?UTF-8?q?S=20=EC=B7=A8=EC=95=BD=EC=A0=90=20=EC=88=98=EC=A0=95?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 adm/shop_admin/itemformupdate.php | 36 +++++++++++++++++++++++++++----
 adm/shop_admin/itemoption.php     |  4 ++--
 adm/shop_admin/itemsupply.php     |  8 +++----
 lib/shop.lib.php                  |  8 +++----
 4 files changed, 42 insertions(+), 14 deletions(-)

diff --git a/adm/shop_admin/itemformupdate.php b/adm/shop_admin/itemformupdate.php
index 9543b568f..52ee641ee 100644
--- a/adm/shop_admin/itemformupdate.php
+++ b/adm/shop_admin/itemformupdate.php
@@ -235,6 +235,14 @@ sql_query(" delete from {$g5['g5_shop_event_item_table']} where it_id = '$it_id'
 // 선택옵션
 sql_query(" delete from {$g5['g5_shop_item_option_table']} where io_type = '0' and it_id = '$it_id' "); // 기존선택옵션삭제
 
+// 금지할 패턴 목록
+$forbidden_patterns = array(
+    '/<\s*script/i',      // <script>
+    '/<\s*iframe/i',      // <iframe>
+    '/on\w+\s*=/i',       // onclick=, onerror= 등 이벤트 핸들러
+    '/javascript:/i'      // javascript: 프로토콜
+);
+
 $option_count = (isset($_POST['opt_id']) && is_array($_POST['opt_id'])) ? count($_POST['opt_id']) : array();
 $it_option_subject = '';
 $it_supply_subject = '';
@@ -243,8 +251,18 @@ if($option_count) {
     // 옵션명
     $opt1_cnt = $opt2_cnt = $opt3_cnt = 0;
     for($i=0; $i<$option_count; $i++) {
-        $post_opt_id = isset($_POST['opt_id'][$i]) ? preg_replace(G5_OPTION_ID_FILTER, '', strip_tags($_POST['opt_id'][$i])) : '';
-
+        $post_opt_id = isset($_POST['opt_id'][$i]) ? $_POST['opt_id'][$i] : '';
+        
+        foreach ($forbidden_patterns as $pattern) {
+            if (preg_match($pattern, $post_opt_id)) {
+                $post_opt_id = '';
+                $_POST['opt_id'][$i] = '';
+                continue 2;
+            }
+        }
+        
+        $post_opt_id = preg_replace(G5_OPTION_ID_FILTER, '', strip_tags($post_opt_id));
+            
         $opt_val = explode(chr(30), $post_opt_id);
         if(isset($opt_val[0]) && $opt_val[0])
             $opt1_cnt++;
@@ -271,8 +289,18 @@ if($supply_count) {
     // 추가옵션명
     $arr_spl = array();
     for($i=0; $i<$supply_count; $i++) {
-        $post_spl_id = isset($_POST['spl_id'][$i]) ? preg_replace(G5_OPTION_ID_FILTER, '', strip_tags($_POST['spl_id'][$i])) : '';
-
+        $post_spl_id = isset($_POST['spl_id'][$i]) ? $_POST['spl_id'][$i] : '';
+        
+        foreach ($forbidden_patterns as $pattern) {
+            if (preg_match($pattern, $post_spl_id)) {
+                $post_spl_id = '';
+                $_POST['spl_id'][$i] = '';
+                continue 2;
+            }
+        }
+        
+        $post_spl_id = preg_replace(G5_OPTION_ID_FILTER, '', strip_tags($post_spl_id));
+        
         $spl_val = explode(chr(30), $post_spl_id);
         if(!in_array($spl_val[0], $arr_spl))
             $arr_spl[] = $spl_val[0];
diff --git a/adm/shop_admin/itemoption.php b/adm/shop_admin/itemoption.php
index 8b70c1601..403c95867 100644
--- a/adm/shop_admin/itemoption.php
+++ b/adm/shop_admin/itemoption.php
@@ -84,11 +84,11 @@ if($po_run) {
     ?>
     <tr>
         <td class="td_chk">
-            <input type="hidden" name="opt_id[]" value="<?php echo $opt_id; ?>">
+            <input type="hidden" name="opt_id[]" value="<?php echo get_text($opt_id); ?>">
             <label for="opt_chk_<?php echo $i; ?>" class="sound_only"></label>
             <input type="checkbox" name="opt_chk[]" id="opt_chk_<?php echo $i; ?>" value="1">
         </td>
-        <td class="opt-cell"><?php echo $opt_1; if ($opt_2_len) echo ' <small>&gt;</small> '.$opt_2; if ($opt_3_len) echo ' <small>&gt;</small> '.$opt_3; ?></td>
+        <td class="opt-cell"><?php echo get_text($opt_1); if ($opt_2_len) echo ' <small>&gt;</small> '.get_text($opt_2); if ($opt_3_len) echo ' <small>&gt;</small> '.get_text($opt_3); ?></td>
         <td class="td_numsmall">
             <label for="opt_price_<?php echo $i; ?>" class="sound_only"></label>
             <input type="text" name="opt_price[]" value="<?php echo $opt_price; ?>" id="opt_price_<?php echo $i; ?>" class="frm_input" size="9">
diff --git a/adm/shop_admin/itemsupply.php b/adm/shop_admin/itemsupply.php
index 389c2bf62..955241001 100644
--- a/adm/shop_admin/itemsupply.php
+++ b/adm/shop_admin/itemsupply.php
@@ -55,12 +55,12 @@ if($ps_run) {
     ?>
     <tr>
         <td class="td_chk">
-            <input type="hidden" name="spl_id[]" value="<?php echo $spl_id; ?>">
-            <label for="spl_chk_<?php echo $i; ?>" class="sound_only"><?php echo $spl_subject.' '.$spl; ?></label>
+            <input type="hidden" name="spl_id[]" value="<?php echo get_text($spl_id); ?>">
+            <label for="spl_chk_<?php echo $i; ?>" class="sound_only"><?php echo get_text($spl_subject.' '.$spl); ?></label>
             <input type="checkbox" name="spl_chk[]" id="spl_chk_<?php echo $i; ?>" value="1">
         </td>
-        <td class="spl-subject-cell"><?php echo $spl_subject; ?></td>
-        <td class="spl-cell"><?php echo $spl; ?></td>
+        <td class="spl-subject-cell"><?php echo get_text($spl_subject); ?></td>
+        <td class="spl-cell"><?php echo get_text($spl); ?></td>
         <td class="td_numsmall">
             <label for="spl_price_<?php echo $i; ?>" class="sound_only">상품금액</label>
             <input type="text" name="spl_price[]" value="<?php echo $spl_price; ?>" id="spl_price_<?php echo $i; ?>" class="frm_input" size="5">
diff --git a/lib/shop.lib.php b/lib/shop.lib.php
index 4825dcd69..e7e31ada8 100644
--- a/lib/shop.lib.php
+++ b/lib/shop.lib.php
@@ -1010,7 +1010,7 @@ function get_item_options($it_id, $subject, $is_div='', $is_first_option_title='
                 for($k=0; $k<$opt_count; $k++) {
                     $opt_val = $opt[$k];
                     if(strlen($opt_val)) {
-                        $select .= '<option value="'.$opt_val.'">'.$opt_val.'</option>'.PHP_EOL;
+                        $select .= '<option value="'.get_text($opt_val).'">'.get_text($opt_val).'</option>'.PHP_EOL;
                     }
                 }
                 $select .= '</select>'.PHP_EOL;
@@ -1046,7 +1046,7 @@ function get_item_options($it_id, $subject, $is_div='', $is_first_option_title='
             else
                 $soldout = '';
 
-            $select .= '<option value="'.$row['io_id'].','.$row['io_price'].','.$row['io_stock_qty'].'">'.$row['io_id'].$price.$soldout.'</option>'.PHP_EOL;
+            $select .= '<option value="'.get_text($row['io_id']).','.$row['io_price'].','.$row['io_stock_qty'].'">'.get_text($row['io_id']).$price.$soldout.'</option>'.PHP_EOL;
         }
         $select .= '</select>'.PHP_EOL;
         
@@ -1101,7 +1101,7 @@ function get_item_supply($it_id, $subject, $is_div='', $is_first_option_title=''
             else
                 $soldout = '';
 
-            $options[$opt_id[0]][] = '<option value="'.$opt_id[1].','.$row['io_price'].','.$io_stock_qty.'">'.$opt_id[1].$price.$soldout.'</option>';
+            $options[$opt_id[0]][] = '<option value="'.get_text($opt_id[1]).','.$row['io_price'].','.$io_stock_qty.'">'.get_text($opt_id[1]).$price.$soldout.'</option>';
         }
     }
 
@@ -1122,7 +1122,7 @@ function get_item_supply($it_id, $subject, $is_div='', $is_first_option_title=''
             $first_option_title = $is_first_option_title ? $subj[$i] : '선택';
 
             $select = '<select id="it_supply_'.$seq.'" class="it_supply">'.PHP_EOL;
-            $select .= '<option value="">'.$first_option_title.'</option>'.PHP_EOL;
+            $select .= '<option value="">'.get_text($first_option_title).'</option>'.PHP_EOL;
             for($k=0; $k<$opt_count; $k++) {
                 $opt_val = $opt[$k];
                 if($opt_val) {