Merge branch 'master' of github.com:gnuboard/g5

2020-04-23 17:51:56 +09:00
parent 09c7dd834e 4c41828e73
commit 87c8abdf25
25 changed files with 121 additions and 53 deletions
--- a/adm/admin.lib.php
+++ b/adm/admin.lib.php
@ -482,7 +482,7 @@ function admin_check_xss_params($params){

        if( is_array($value) ){
            admin_check_xss_params($value);
-        } else if ( preg_match('/<\s?[^\>]*\/?\s?>/i', $value) && (preg_match('/script.*?\/script/ius', $value) || preg_match('/[onload|onerror]=.*/ius', $value)) ){
+        } else if ( (preg_match('/<\s?[^\>]*\/?\s?>/i', $value) && (preg_match('/script.*?\/script/ius', $value) || preg_match('/[onload|onerror]=.*/ius', $value))) || preg_match('/^(?=.*get_ajax_token\()(?=.*xmlhttprequest\()(?=.*send\().*$/im', $value) ){
            alert('요청 쿼리에 잘못된 스크립트문장이 있습니다.\\nXSS 공격일수도 있습니다.');
            die();
        }