From 97ee35e985997a9b9daddf8fb3dde753ef8b47c4 Mon Sep 17 00:00:00 2001
From: thisgun <thisgun@naver.com>
Date: Fri, 7 Dec 2018 10:59:59 +0900
Subject: [PATCH] =?UTF-8?q?KVE-2018-1316=20=EC=B7=A8=EC=95=BD=EC=A0=90=20?=
 =?UTF-8?q?=EB=8B=A4=EC=8B=9C=20=EC=88=98=EC=A0=95?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 lib/common.lib.php | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/lib/common.lib.php b/lib/common.lib.php
index c07a23194..2ee0ad6c3 100644
--- a/lib/common.lib.php
+++ b/lib/common.lib.php
@@ -2883,9 +2883,15 @@ function get_search_string($stx)
 // XSS 관련 태그 제거
 function clean_xss_tags($str)
 {
-    $str = preg_replace('#</*(?:applet|b(?:ase|gsound|link)|embed|frame(?:set)?|i(?:frame|layer)|l(?:ayer|ink)|meta|object|s(?:cript|tyle)|title|xml)[^>]*+>#i', '', $str);
-
-    $str = str_replace(array('<script>','</script>','<noscript>','</noscript>'), '', $str);
+    $str_len = strlen($str);
+    
+    while($i <= $str_len){
+        $result = preg_replace('#</*(?:applet|b(?:ase|gsound|link)|embed|frame(?:set)?|i(?:frame|layer)|l(?:ayer|ink)|meta|object|s(?:cript|tyle)|title|xml)[^>]*+>#i', '', $str);
+        if((string)$result === (string)$str)
+            break;
+        $str = $result;
+        $i++;
+    }
 
     return $str;
 }