Merge branch 'g5'

2016-02-11 10:56:11 +09:00
parent 3dad98c975 1a142e5250
commit 96f6252d7b
15 changed files with 34 additions and 12 deletions
--- a/bbs/alert.php
+++ b/bbs/alert.php
@ -33,6 +33,8 @@ $msg2 = str_replace("\\n", "<br>", $msg);
 $url = clean_xss_tags($url);
 if (!$url) $url = clean_xss_tags($_SERVER['HTTP_REFERER']);

+$url = preg_replace("/[\<\>\'\"\\\'\\\"\(\)]/", "", $url);
+
 // url 체크
 check_url_host($url);

--- a/bbs/formmail.php
+++ b/bbs/formmail.php
@ -28,6 +28,12 @@ if ($sendmail_count > 3)
 $g5['title'] = '메일 쓰기';
 include_once(G5_PATH.'/head.sub.php');

+$email = get_email_address(base64_decode($email));
+if(!$email)
+    alert_close('이메일이 올바르지 않습니다.');
+
+$email = base64_encode($email);
+
 if (!$name)
    $name = base64_decode($email);
 else
--- a/bbs/member_confirm.php
+++ b/bbs/member_confirm.php
@ -19,6 +19,8 @@ $url = clean_xss_tags($_GET['url']);
 // url 체크
 check_url_host($url);

+$url = get_text($url);
+
 include_once($member_skin_path.'/member_confirm.skin.php');

 include_once('./_tail.sub.php');
--- a/mobile/skin/board/basic/view_comment.skin.php
+++ b/mobile/skin/board/basic/view_comment.skin.php
@ -53,8 +53,10 @@ var char_max = parseInt(<?php echo $comment_max ?>); // 최대
            $query_string = clean_query_string($_SERVER['QUERY_STRING']);

            if($w == 'cu') {
-                $sql = " select wr_id, wr_content from $write_table where wr_id = '$c_id' and wr_is_comment = '1' ";
+                $sql = " select wr_id, wr_content, mb_id from $write_table where wr_id = '$c_id' and wr_is_comment = '1' ";
                $cmt = sql_fetch($sql);
+                if (!($is_admin || ($member['mb_id'] == $cmt['mb_id'] && $cmt['mb_id'])))
+                    $cmt['wr_content'] = '';
                $c_wr_content = $cmt['wr_content'];
            }

--- a/mobile/skin/board/gallery/view_comment.skin.php
+++ b/mobile/skin/board/gallery/view_comment.skin.php
@ -53,8 +53,10 @@ var char_max = parseInt(<?php echo $comment_max ?>); // 최대
            $query_string = clean_query_string($_SERVER['QUERY_STRING']);

            if($w == 'cu') {
-                $sql = " select wr_id, wr_content from $write_table where wr_id = '$c_id' and wr_is_comment = '1' ";
+                $sql = " select wr_id, wr_content, mb_id from $write_table where wr_id = '$c_id' and wr_is_comment = '1' ";
                $cmt = sql_fetch($sql);
+                if (!($is_admin || ($member['mb_id'] == $cmt['mb_id'] && $cmt['mb_id'])))
+                    $cmt['wr_content'] = '';
                $c_wr_content = $cmt['wr_content'];
            }

--- a/mobile/skin/member/basic/formmail.skin.php
+++ b/mobile/skin/member/basic/formmail.skin.php
@ -11,7 +11,6 @@ add_stylesheet('<link rel="stylesheet" href="'.$member_skin_url.'/style.css">',
    <form name="fformmail" action="./formmail_send.php" onsubmit="return fformmail_submit(this);" method="post" enctype="multipart/form-data" style="margin:0px;">
    <input type="hidden" name="to" value="<?php echo $email ?>">
    <input type="hidden" name="attach" value="2">
-    <input type="hidden" name="token" value="<?php echo $token ?>">
    <?php if ($is_member) { // 회원이면 ?>
    <input type="hidden" name="fnick" value="<?php echo get_text($member['mb_nick']); ?>">
    <input type="hidden" name="fmail" value="<?php echo $member['mb_email'] ?>">
--- a/skin/board/basic/view_comment.skin.php
+++ b/skin/board/basic/view_comment.skin.php
@ -59,8 +59,10 @@ var char_max = parseInt(<?php echo $comment_max ?>); // 최대
            $query_string = clean_query_string($_SERVER['QUERY_STRING']);

            if($w == 'cu') {
-                $sql = " select wr_id, wr_content from $write_table where wr_id = '$c_id' and wr_is_comment = '1' ";
+                $sql = " select wr_id, wr_content, mb_id from $write_table where wr_id = '$c_id' and wr_is_comment = '1' ";
                $cmt = sql_fetch($sql);
+                if (!($is_admin || ($member['mb_id'] == $cmt['mb_id'] && $cmt['mb_id'])))
+                    $cmt['wr_content'] = '';
                $c_wr_content = $cmt['wr_content'];
            }

--- a/skin/board/gallery/view_comment.skin.php
+++ b/skin/board/gallery/view_comment.skin.php
@ -59,8 +59,10 @@ var char_max = parseInt(<?php echo $comment_max ?>); // 최대
            $query_string = clean_query_string($_SERVER['QUERY_STRING']);

            if($w == 'cu') {
-                $sql = " select wr_id, wr_content from $write_table where wr_id = '$c_id' and wr_is_comment = '1' ";
+                $sql = " select wr_id, wr_content, mb_id from $write_table where wr_id = '$c_id' and wr_is_comment = '1' ";
                $cmt = sql_fetch($sql);
+                if (!($is_admin || ($member['mb_id'] == $cmt['mb_id'] && $cmt['mb_id'])))
+                    $cmt['wr_content'] = '';
                $c_wr_content = $cmt['wr_content'];
            }

--- a/skin/member/basic/formmail.skin.php
+++ b/skin/member/basic/formmail.skin.php
@ -12,7 +12,6 @@ add_stylesheet('<link rel="stylesheet" href="'.$member_skin_url.'/style.css">',
    <form name="fformmail" action="./formmail_send.php" onsubmit="return fformmail_submit(this);" method="post" enctype="multipart/form-data" style="margin:0px;">
    <input type="hidden" name="to" value="<?php echo $email ?>">
    <input type="hidden" name="attach" value="2">
-    <input type="hidden" name="token" value="<?php echo $token ?>">
    <?php if ($is_member) { // 회원이면  ?>
    <input type="hidden" name="fnick" value="<?php echo get_text($member['mb_nick']); ?>">
    <input type="hidden" name="fmail" value="<?php echo $member['mb_email'] ?>">
--- a/theme/basic/mobile/skin/board/basic/view_comment.skin.php
+++ b/theme/basic/mobile/skin/board/basic/view_comment.skin.php
@ -53,8 +53,10 @@ var char_max = parseInt(<?php echo $comment_max ?>); // 최대
            $query_string = clean_query_string($_SERVER['QUERY_STRING']);

            if($w == 'cu') {
-                $sql = " select wr_id, wr_content from $write_table where wr_id = '$c_id' and wr_is_comment = '1' ";
+                $sql = " select wr_id, wr_content, mb_id from $write_table where wr_id = '$c_id' and wr_is_comment = '1' ";
                $cmt = sql_fetch($sql);
+                if (!($is_admin || ($member['mb_id'] == $cmt['mb_id'] && $cmt['mb_id'])))
+                    $cmt['wr_content'] = '';
                $c_wr_content = $cmt['wr_content'];
            }

--- a/theme/basic/mobile/skin/board/gallery/view_comment.skin.php
+++ b/theme/basic/mobile/skin/board/gallery/view_comment.skin.php
@ -53,8 +53,10 @@ var char_max = parseInt(<?php echo $comment_max ?>); // 최대
            $query_string = clean_query_string($_SERVER['QUERY_STRING']);

            if($w == 'cu') {
-                $sql = " select wr_id, wr_content from $write_table where wr_id = '$c_id' and wr_is_comment = '1' ";
+                $sql = " select wr_id, wr_content, mb_id from $write_table where wr_id = '$c_id' and wr_is_comment = '1' ";
                $cmt = sql_fetch($sql);
+                if (!($is_admin || ($member['mb_id'] == $cmt['mb_id'] && $cmt['mb_id'])))
+                    $cmt['wr_content'] = '';
                $c_wr_content = $cmt['wr_content'];
            }

--- a/theme/basic/mobile/skin/member/basic/formmail.skin.php
+++ b/theme/basic/mobile/skin/member/basic/formmail.skin.php
@ -11,7 +11,6 @@ add_stylesheet('<link rel="stylesheet" href="'.$member_skin_url.'/style.css">',
    <form name="fformmail" action="./formmail_send.php" onsubmit="return fformmail_submit(this);" method="post" enctype="multipart/form-data" style="margin:0px;">
    <input type="hidden" name="to" value="<?php echo $email ?>">
    <input type="hidden" name="attach" value="2">
-    <input type="hidden" name="token" value="<?php echo $token ?>">
    <?php if ($is_member) { // 회원이면 ?>
    <input type="hidden" name="fnick" value="<?php echo get_text($member['mb_nick']); ?>">
    <input type="hidden" name="fmail" value="<?php echo $member['mb_email'] ?>">
--- a/theme/basic/skin/board/basic/view_comment.skin.php
+++ b/theme/basic/skin/board/basic/view_comment.skin.php
@ -59,8 +59,10 @@ var char_max = parseInt(<?php echo $comment_max ?>); // 최대
            $query_string = clean_query_string($_SERVER['QUERY_STRING']);

            if($w == 'cu') {
-                $sql = " select wr_id, wr_content from $write_table where wr_id = '$c_id' and wr_is_comment = '1' ";
+                $sql = " select wr_id, wr_content, mb_id from $write_table where wr_id = '$c_id' and wr_is_comment = '1' ";
                $cmt = sql_fetch($sql);
+                if (!($is_admin || ($member['mb_id'] == $cmt['mb_id'] && $cmt['mb_id'])))
+                    $cmt['wr_content'] = '';
                $c_wr_content = $cmt['wr_content'];
            }

--- a/theme/basic/skin/board/gallery/view_comment.skin.php
+++ b/theme/basic/skin/board/gallery/view_comment.skin.php
@ -59,8 +59,10 @@ var char_max = parseInt(<?php echo $comment_max ?>); // 최대
            $query_string = clean_query_string($_SERVER['QUERY_STRING']);

            if($w == 'cu') {
-                $sql = " select wr_id, wr_content from $write_table where wr_id = '$c_id' and wr_is_comment = '1' ";
+                $sql = " select wr_id, wr_content, mb_id from $write_table where wr_id = '$c_id' and wr_is_comment = '1' ";
                $cmt = sql_fetch($sql);
+                if (!($is_admin || ($member['mb_id'] == $cmt['mb_id'] && $cmt['mb_id'])))
+                    $cmt['wr_content'] = '';
                $c_wr_content = $cmt['wr_content'];
            }

--- a/theme/basic/skin/member/basic/formmail.skin.php
+++ b/theme/basic/skin/member/basic/formmail.skin.php
@ -12,7 +12,6 @@ add_stylesheet('<link rel="stylesheet" href="'.$member_skin_url.'/style.css">',
    <form name="fformmail" action="./formmail_send.php" onsubmit="return fformmail_submit(this);" method="post" enctype="multipart/form-data" style="margin:0px;">
    <input type="hidden" name="to" value="<?php echo $email ?>">
    <input type="hidden" name="attach" value="2">
-    <input type="hidden" name="token" value="<?php echo $token ?>">
    <?php if ($is_member) { // 회원이면  ?>
    <input type="hidden" name="fnick" value="<?php echo get_text($member['mb_nick']) ?>">
    <input type="hidden" name="fmail" value="<?php echo $member['mb_email'] ?>">