1:1문의 이메일 입력 XSS 취약점 재수정

bbs/qaview.php

@@ -30,7 +30,7 @@ if(is_file($skin_file)) {
     $view['content'] = conv_content($view['qa_content'], $view['qa_html']);
     $view['name'] = get_text($view['qa_name']);
     $view['datetime'] = $view['qa_datetime'];
-    $view['email'] = get_text(strip_tags2($view['qa_email']));
+    $view['email'] = get_text(get_email_address($view['qa_email']));
     $view['hp'] = $view['qa_hp'];
 
     if (trim($stx))

bbs/qawrite_update.php

@@ -16,7 +16,7 @@ $msg = array();
 
 // e-mail 체크
 if(isset($_POST['qa_email']) && $qa_email) {
-    $qa_email = strip_tags2(trim($_POST['qa_email']));
+    $qa_email = get_email_address(trim($_POST['qa_email']));
 
     if($qaconfig['qa_req_email'] && !$qa_email)
         $msg[] = '이메일을 입력하세요.';

lib/common.lib.php

@@ -2711,12 +2711,11 @@ function member_delete($mb_id)
     sql_query($sql);
 }
 
-// strip_tags 변형
+// 이메일 주소 추출
-function strip_tags2($str)
+function get_email_address($email)
 {
-    if(!$str)
+    preg_match("/[0-9a-z._-]+@[a-z0-9._-]{4,}/i", $email, $matches);
-        return '';
 
-    return strip_tags(preg_replace("#<script[^<]*</script[^>]*>#i", "", $str));
+    return $matches[0];
 }
 ?>