KVE-2021-1116 그누보드 XSS 취약점 수정

adm/board_form.php

@@ -914,7 +914,7 @@ $pg_anchor = '<ul class="anchor">
         <tr>
             <th scope="row"><label for="bo_include_head">상단 파일 경로</label></th>
             <td>
-                <input type="text" name="bo_include_head" value="<?php echo $board['bo_include_head'] ?>" id="bo_include_head" class="frm_input" size="50">
+                <input type="text" name="bo_include_head" value="<?php echo get_sanitize_input($board['bo_include_head']); ?>" id="bo_include_head" class="frm_input" size="50">
             </td>
             <td class="td_grpset">
                 <input type="checkbox" name="chk_grp_include_head" value="1" id="chk_grp_include_head">
@@ -926,7 +926,7 @@ $pg_anchor = '<ul class="anchor">
         <tr>
             <th scope="row"><label for="bo_include_tail">하단 파일 경로</label></th>
             <td>
-                <input type="text" name="bo_include_tail" value="<?php echo $board['bo_include_tail'] ?>" id="bo_include_tail" class="frm_input" size="50">
+                <input type="text" name="bo_include_tail" value="<?php echo get_sanitize_input($board['bo_include_tail']); ?>" id="bo_include_tail" class="frm_input" size="50">
             </td>
             <td class="td_grpset">
                 <input type="checkbox" name="chk_grp_include_tail" value="1" id="chk_grp_include_tail">
@@ -1423,9 +1423,10 @@ function use_captcha_check(){
     });
 }
 
+var bo_include_head = jQuery.trim(jQuery("#bo_include_head").val()),
+    bo_include_tail = jQuery.trim(jQuery("#bo_include_tail").val());
+
 function frm_check_file(){
-    var bo_include_head = "<?php echo $board['bo_include_head']; ?>";
-    var bo_include_tail = "<?php echo $board['bo_include_tail']; ?>";
     var head = jQuery.trim(jQuery("#bo_include_head").val());
     var tail = jQuery.trim(jQuery("#bo_include_tail").val());
 

adm/contentform.php

@@ -137,14 +137,14 @@ require_once G5_ADMIN_PATH . '/admin.head.php';
                     <th scope="row"><label for="co_include_head">상단 파일 경로</label></th>
                     <td>
                         <?php echo help("설정값이 없으면 기본 상단 파일을 사용합니다."); ?>
-                        <input type="text" name="co_include_head" value="<?php echo $co['co_include_head']; ?>" id="co_include_head" class="frm_input" size="60">
+                        <input type="text" name="co_include_head" value="<?php echo get_sanitize_input($co['co_include_head']); ?>" id="co_include_head" class="frm_input" size="60">
                     </td>
                 </tr>
                 <tr>
                     <th scope="row"><label for="co_include_tail">하단 파일 경로</label></th>
                     <td>
                         <?php echo help("설정값이 없으면 기본 하단 파일을 사용합니다."); ?>
-                        <input type="text" name="co_include_tail" value="<?php echo $co['co_include_tail']; ?>" id="co_include_tail" class="frm_input" size="60">
+                        <input type="text" name="co_include_tail" value="<?php echo get_sanitize_input($co['co_include_tail']); ?>" id="co_include_tail" class="frm_input" size="60">
                     </td>
                 </tr>
                 <tr id="admin_captcha_box" style="display:none;">

adm/qa_config.php

@@ -266,13 +266,13 @@ if (!isset($qaconfig['qa_include_head'])) {
                     <tr>
                         <th scope="row"><label for="qa_include_head">상단 파일 경로</label></th>
                         <td>
-                            <input type="text" name="qa_include_head" value="<?php echo $qaconfig['qa_include_head'] ?>" id="qa_include_head" class="frm_input" size="50">
+                            <input type="text" name="qa_include_head" value="<?php echo get_sanitize_input($qaconfig['qa_include_head']); ?>" id="qa_include_head" class="frm_input" size="50">
                         </td>
                     </tr>
                     <tr>
                         <th scope="row"><label for="qa_include_tail">하단 파일 경로</label></th>
                         <td>
-                            <input type="text" name="qa_include_tail" value="<?php echo $qaconfig['qa_include_tail'] ?>" id="qa_include_tail" class="frm_input" size="50">
+                            <input type="text" name="qa_include_tail" value="<?php echo get_sanitize_input($qaconfig['qa_include_tail']); ?>" id="qa_include_tail" class="frm_input" size="50">
                         </td>
                     </tr>
                     <tr id="admin_captcha_box" style="display:none;">
@@ -344,7 +344,9 @@ if (!isset($qaconfig['qa_include_head'])) {
 </form>
 
 <script>
-    var captcha_chk = false;
+    var captcha_chk = false,
+        qa_include_head = jQuery.trim(jQuery("#qa_include_head").val()),
+        qa_include_tail = jQuery.trim(jQuery("#qa_include_tail").val());
 
     function use_captcha_check() {
         $.ajax({
@@ -361,8 +363,6 @@ if (!isset($qaconfig['qa_include_head'])) {
     }
 
     function frm_check_file() {
-        var qa_include_head = "<?php echo $qaconfig['qa_include_head']; ?>";
-        var qa_include_tail = "<?php echo $qaconfig['qa_include_tail']; ?>";
         var head = jQuery.trim(jQuery("#qa_include_head").val());
         var tail = jQuery.trim(jQuery("#qa_include_tail").val());
 

lib/common.lib.php

@@ -3965,7 +3965,7 @@ function get_random_token_string($length=6)
 }
 
 function filter_input_include_path($path){
-    return str_replace('//', '/', $path);
+    return str_replace('//', '/', strip_tags($path));
 }
 
 function option_array_checked($option, $arr=array()){