From 94f25f73fac224aa5c460306afd203558bde6322 Mon Sep 17 00:00:00 2001
From: thisgun <thisgun@naver.com>
Date: Mon, 3 Jul 2017 18:18:50 +0900
Subject: [PATCH] =?UTF-8?q?=EA=B7=B8=EB=88=84=EB=B3=B4=EB=93=9C=20?=
 =?UTF-8?q?=EA=B8=80=20=EC=88=98=EC=A0=95=20XSS=20=EC=B7=A8=EC=95=BD?=
 =?UTF-8?q?=EC=A0=90=20=EC=88=98=EC=A0=95=20(=2017-454=20)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 bbs/write.php | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/bbs/write.php b/bbs/write.php
index 93a6dfca3..4282142de 100644
--- a/bbs/write.php
+++ b/bbs/write.php
@@ -401,6 +401,11 @@ if(!is_mobile() || defined('G5_IS_MOBILE_DHTML_USE') && G5_IS_MOBILE_DHTML_USE)
 if ($config['cf_editor'] && $is_dhtml_editor_use && $board['bo_use_dhtml_editor'] && $member['mb_level'] >= $board['bo_html_level']) {
     $is_dhtml_editor = true;
 
+    if ( $w == 'u' && (! $is_member || ! $is_admin || $write['mb_id'] !== $member['mb_id']) ){
+        // kisa 취약점 제보 xss 필터 적용
+        $content = get_text(html_purifier($write['wr_content']), 0);
+    }
+
     if(is_file(G5_EDITOR_PATH.'/'.$config['cf_editor'].'/autosave.editor.js'))
         $editor_content_js = '<script src="'.G5_EDITOR_URL.'/'.$config['cf_editor'].'/autosave.editor.js"></script>'.PHP_EOL;
 }