From 97a8352117df9be35ac52b9790bf910964bb695c Mon Sep 17 00:00:00 2001
From: thisgun <thisgun@naver.com>
Date: Thu, 1 Dec 2022 15:22:48 +0900
Subject: [PATCH] =?UTF-8?q?[KVE-2022-2036]=20Gnuboard5=20=EA=B4=80?=
 =?UTF-8?q?=EB=A6=AC=EC=9E=90=ED=8E=98=EC=9D=B4=EC=A7=80=20=EB=82=B4=20Sto?=
 =?UTF-8?q?red=20XSS=20=EC=B7=A8=EC=95=BD=EC=A0=90=20=EC=88=98=EC=A0=95?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 adm/mail_select_list.php              | 2 +-
 adm/member_form.php                   | 6 +++---
 adm/poll_form.php                     | 4 ++--
 adm/shop_admin/configform.php         | 2 +-
 adm/sms_admin/ajax.sms_write_form.php | 2 ++
 adm/sms_admin/form_list.php           | 2 +-
 adm/sms_admin/form_write.php          | 2 +-
 adm/sms_admin/history_view.php        | 2 +-
 8 files changed, 12 insertions(+), 10 deletions(-)

diff --git a/adm/mail_select_list.php b/adm/mail_select_list.php
index a3046afac..78d802eb3 100644
--- a/adm/mail_select_list.php
+++ b/adm/mail_select_list.php
@@ -121,7 +121,7 @@ require_once './admin.head.php';
                 <?php } ?>
             </tbody>
         </table>
-        <textarea name="ma_list" style="display:none"><?php echo $ma_list ?></textarea>
+        <textarea name="ma_list" style="display:none"><?php echo html_purifier($ma_list); ?></textarea>
     </div>
 
     <div class="btn_confirm01 btn_confirm">
diff --git a/adm/member_form.php b/adm/member_form.php
index 8040e9d09..16694b3fd 100644
--- a/adm/member_form.php
+++ b/adm/member_form.php
@@ -380,15 +380,15 @@ add_javascript(G5_POSTCODE_JS, 0);    //다음 주소 js
                 </tr>
                 <tr>
                     <th scope="row"><label for="mb_signature">서명</label></th>
-                    <td colspan="3"><textarea name="mb_signature" id="mb_signature"><?php echo $mb['mb_signature'] ?></textarea></td>
+                    <td colspan="3"><textarea name="mb_signature" id="mb_signature"><?php echo html_purifier($mb['mb_signature']); ?></textarea></td>
                 </tr>
                 <tr>
                     <th scope="row"><label for="mb_profile">자기 소개</label></th>
-                    <td colspan="3"><textarea name="mb_profile" id="mb_profile"><?php echo $mb['mb_profile'] ?></textarea></td>
+                    <td colspan="3"><textarea name="mb_profile" id="mb_profile"><?php echo html_purifier($mb['mb_profile']); ?></textarea></td>
                 </tr>
                 <tr>
                     <th scope="row"><label for="mb_memo">메모</label></th>
-                    <td colspan="3"><textarea name="mb_memo" id="mb_memo"><?php echo $mb['mb_memo'] ?></textarea></td>
+                    <td colspan="3"><textarea name="mb_memo" id="mb_memo"><?php echo html_purifier($mb['mb_memo']); ?></textarea></td>
                 </tr>
                 <tr>
                     <th scope="row"><label for="mb_cert_history">본인인증 내역</label></th>
diff --git a/adm/poll_form.php b/adm/poll_form.php
index 337f9ba46..62cd84082 100644
--- a/adm/poll_form.php
+++ b/adm/poll_form.php
@@ -108,11 +108,11 @@ require_once './admin.head.php';
                     </tr>
                     <tr>
                         <th scope="row"><label for="po_ips">투표참가 IP</label></th>
-                        <td><textarea name="po_ips" id="po_ips" readonly rows="10"><?php echo preg_replace("/\n/", " / ", $po['po_ips']) ?></textarea></td>
+                        <td><textarea name="po_ips" id="po_ips" readonly rows="10"><?php echo html_purifier(preg_replace("/\n/", " / ", $po['po_ips'])); ?></textarea></td>
                     </tr>
                     <tr>
                         <th scope="row"><label for="mb_ids">투표참가 회원</label></th>
-                        <td><textarea name="mb_ids" id="mb_ids" readonly rows="10"><?php echo preg_replace("/\n/", " / ", $po['mb_ids']) ?></textarea></td>
+                        <td><textarea name="mb_ids" id="mb_ids" readonly rows="10"><?php echo html_purifier(preg_replace("/\n/", " / ", $po['mb_ids'])); ?></textarea></td>
                     </tr>
                 <?php } ?>
             </tbody>
diff --git a/adm/shop_admin/configform.php b/adm/shop_admin/configform.php
index 14e808e4b..1925db54e 100644
--- a/adm/shop_admin/configform.php
+++ b/adm/shop_admin/configform.php
@@ -593,7 +593,7 @@ if(!$default['de_kakaopay_cancelpwd']){
         <tr>
             <th scope="row"><label for="de_bank_account">은행계좌번호</label></th>
             <td>
-                <textarea name="de_bank_account" id="de_bank_account"><?php echo $default['de_bank_account']; ?></textarea>
+                <textarea name="de_bank_account" id="de_bank_account"><?php echo html_purifier($default['de_bank_account']); ?></textarea>
             </td>
         </tr>
         <tr>
diff --git a/adm/sms_admin/ajax.sms_write_form.php b/adm/sms_admin/ajax.sms_write_form.php
index 8514179e4..a10025571 100644
--- a/adm/sms_admin/ajax.sms_write_form.php
+++ b/adm/sms_admin/ajax.sms_write_form.php
@@ -66,6 +66,8 @@ while($res = sql_fetch_array($qry))
         $group_name = '미분류';
     else
         $group_name = $tmp['fg_name'];
+
+    $res['fo_content'] = html_purifier($res['fo_content']);
     $list_text .="
     <li class=\"screen_list sms5_box\">
         <span class=\"box_ico\"></span>
diff --git a/adm/sms_admin/form_list.php b/adm/sms_admin/form_list.php
index 9fb66bb4a..2fb38343b 100644
--- a/adm/sms_admin/form_list.php
+++ b/adm/sms_admin/form_list.php
@@ -174,7 +174,7 @@ function multi_update(sel)
             <input type="checkbox" name="fo_no[]" value="<?php echo $res['fo_no']?>" id="fo_no_<?php echo $i; ?>">
         </div>
         <div class="li_preview">
-            <textarea readonly class="box_txt box_square"><?php echo $res['fo_content']?></textarea>
+            <textarea readonly class="box_txt box_square"><?php echo html_purifier($res['fo_content']); ?></textarea>
         </div>
         <div class="li_info">
             <span class="sound_only">그룹 </span><b><?php echo $group_name?></b><br>
diff --git a/adm/sms_admin/form_write.php b/adm/sms_admin/form_write.php
index a28671f38..102263449 100644
--- a/adm/sms_admin/form_write.php
+++ b/adm/sms_admin/form_write.php
@@ -67,7 +67,7 @@ include_once(G5_ADMIN_PATH.'/admin.head.php');
             <div class="sms5_box write_wrap">
                 <span class="box_ico"></span>
                 <label for="sms_contents" id="wr_message_lbl">내용</label>
-                <textarea name="fo_content" id="sms_contents" class="box_txt box_square" onkeyup="byte_check('sms_contents', 'sms_bytes');" accesskey="m"><?php echo $write['fo_content']?></textarea>
+                <textarea name="fo_content" id="sms_contents" class="box_txt box_square" onkeyup="byte_check('sms_contents', 'sms_bytes');" accesskey="m"><?php echo html_purifier($write['fo_content']); ?></textarea>
 
                 <div id="sms_byte"><span id="sms_bytes">0</span> / 80 byte</div>
 
diff --git a/adm/sms_admin/history_view.php b/adm/sms_admin/history_view.php
index 1cf76df57..ead45445b 100644
--- a/adm/sms_admin/history_view.php
+++ b/adm/sms_admin/history_view.php
@@ -109,7 +109,7 @@ function all_send()
 
     <div id="con_sms" class="sms5_box">
         <span class="box_ico"></span>
-        <textarea class="box_txt is_overview" readonly><?php echo $write['wr_message'];?></textarea>
+        <textarea class="box_txt is_overview" readonly><?php echo html_purifier($write['wr_message']); ?></textarea>
     </div>
 
     <?php if ($write['wr_re_total'] && !$wr_renum) { ?>