From b1fc952c7600b825c4b02e2789ddafdea18c8d13 Mon Sep 17 00:00:00 2001
From: thisgun <thisgun@naver.com>
Date: Wed, 22 Aug 2018 14:02:14 +0900
Subject: [PATCH] =?UTF-8?q?XSS=20=EC=B7=A8=EC=95=BD=EC=A0=90=20=EC=88=98?=
 =?UTF-8?q?=EC=A0=95?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 adm/boardgroup_form.php           | 2 +-
 adm/boardgroup_form_update.php    | 4 +++-
 adm/boardgroup_list_update.php    | 3 ++-
 adm/contentform.php               | 8 +++++---
 adm/contentformupdate.php         | 1 +
 adm/faqmasterform.php             | 1 +
 adm/faqmasterformupdate.php       | 2 ++
 adm/newwinform.php                | 2 +-
 adm/newwinformupdate.php          | 4 +++-
 adm/point_update.php              | 6 +++---
 adm/sms_admin/num_book_update.php | 2 ++
 adm/sms_admin/num_book_write.php  | 4 ++--
 12 files changed, 26 insertions(+), 13 deletions(-)

diff --git a/adm/boardgroup_form.php b/adm/boardgroup_form.php
index df2b9b2c1..73e162d98 100644
--- a/adm/boardgroup_form.php
+++ b/adm/boardgroup_form.php
@@ -12,7 +12,7 @@ $sound_only = '';
 if ($w == '') {
     $gr_id_attr = 'required';
     $sound_only = '<strong class="sound_only"> 필수</strong>';
-    $gr['gr_use_access'] = 0;
+    $gr = array('gr_use_access' => 0);
     $html_title .= ' 생성';
 } else if ($w == 'u') {
     $gr_id_attr = 'readonly';
diff --git a/adm/boardgroup_form_update.php b/adm/boardgroup_form_update.php
index c29558fdd..7ce694a8e 100644
--- a/adm/boardgroup_form_update.php
+++ b/adm/boardgroup_form_update.php
@@ -16,7 +16,9 @@ if (!preg_match("/^([A-Za-z0-9_]{1,10})$/", $_POST['gr_id']))
 
 if (!$gr_subject) alert('그룹 제목을 입력하세요.');
 
-$sql_common = " gr_subject = '{$_POST['gr_subject']}',
+$gr_subject = isset($_POST['gr_subject']) ? strip_tags($_POST['gr_subject']) : '';
+
+$sql_common = " gr_subject = '{$gr_subject}',
                 gr_device = '{$_POST['gr_device']}',
                 gr_admin  = '{$_POST['gr_admin']}',
                 gr_1_subj = '{$_POST['gr_1_subj']}',
diff --git a/adm/boardgroup_list_update.php b/adm/boardgroup_list_update.php
index c10cd247f..fbf9e2f1a 100644
--- a/adm/boardgroup_list_update.php
+++ b/adm/boardgroup_list_update.php
@@ -19,10 +19,11 @@ for ($i=0; $i<$count; $i++)
 {
     $k     = $_POST['chk'][$i];
     $gr_id = $_POST['group_id'][$k];
+    $gr_subject = strip_tags($_POST['gr_subject'][$k]);
 
     if($_POST['act_button'] == '선택수정') {
         $sql = " update {$g5['group_table']}
-                    set gr_subject    = '{$_POST['gr_subject'][$k]}',
+                    set gr_subject    = '{$gr_subject}',
                         gr_device     = '{$_POST['gr_device'][$k]}',
                         gr_admin      = '{$_POST['gr_admin'][$k]}',
                         gr_use_access = '{$_POST['gr_use_access'][$k]}',
diff --git a/adm/contentform.php b/adm/contentform.php
index 024a17615..7ebe8bf01 100644
--- a/adm/contentform.php
+++ b/adm/contentform.php
@@ -49,9 +49,11 @@ if ($w == "u")
 else
 {
     $html_title .= ' 입력';
-    $co['co_html'] = 2;
-    $co['co_skin'] = 'basic';
-    $co['co_mobile_skin'] = 'basic';
+    $co = array(
+        'co_html' => 2,
+        'co_skin' => 'basic',
+        'co_mobile_skin' => 'basic'
+        );
 }
 
 include_once (G5_ADMIN_PATH.'/admin.head.php');
diff --git a/adm/contentformupdate.php b/adm/contentformupdate.php
index d344c4707..dff780a39 100644
--- a/adm/contentformupdate.php
+++ b/adm/contentformupdate.php
@@ -20,6 +20,7 @@ if ($w == "" || $w == "u")
     $co_row = sql_fetch($sql);
 }
 
+$co_subject = strip_tags($co_subject);
 $co_include_head = preg_replace(array("#[\\\]+$#", "#(<\?php|<\?)#i"), "", substr($co_include_head, 0, 255));
 $co_include_tail = preg_replace(array("#[\\\]+$#", "#(<\?php|<\?)#i"), "", substr($co_include_tail, 0, 255));
 
diff --git a/adm/faqmasterform.php b/adm/faqmasterform.php
index df87fec03..d48f69e49 100644
--- a/adm/faqmasterform.php
+++ b/adm/faqmasterform.php
@@ -21,6 +21,7 @@ if ($w == "u")
 else
 {
     $html_title .= ' 입력';
+    $fm = array();
 }
 
 $g5['title'] = $html_title.' 관리';
diff --git a/adm/faqmasterformupdate.php b/adm/faqmasterformupdate.php
index fed67d644..f753683e3 100644
--- a/adm/faqmasterformupdate.php
+++ b/adm/faqmasterformupdate.php
@@ -18,6 +18,8 @@ check_admin_token();
 if ($fm_himg_del)  @unlink(G5_DATA_PATH."/faq/{$fm_id}_h");
 if ($fm_timg_del)  @unlink(G5_DATA_PATH."/faq/{$fm_id}_t");
 
+$fm_subject = strip_tags($fm_subject);
+
 $sql_common = " set fm_subject = '$fm_subject',
                     fm_head_html = '$fm_head_html',
                     fm_tail_html = '$fm_tail_html',
diff --git a/adm/newwinform.php b/adm/newwinform.php
index 1e64f41e2..10aab222d 100644
--- a/adm/newwinform.php
+++ b/adm/newwinform.php
@@ -109,7 +109,7 @@ include_once (G5_ADMIN_PATH.'/admin.head.php');
     <tr>
         <th scope="row"><label for="nw_subject">팝업 제목<strong class="sound_only"> 필수</strong></label></th>
         <td>
-            <input type="text" name="nw_subject" value="<?php echo stripslashes($nw['nw_subject']) ?>" id="nw_subject" required class="frm_input required" size="80">
+            <input type="text" name="nw_subject" value="<?php echo get_sanitize_input($nw['nw_subject']); ?>" id="nw_subject" required class="frm_input required" size="80">
         </td>
     </tr>
     <tr>
diff --git a/adm/newwinformupdate.php b/adm/newwinformupdate.php
index 191e54a3a..1441ac820 100644
--- a/adm/newwinformupdate.php
+++ b/adm/newwinformupdate.php
@@ -12,6 +12,8 @@ else
 
 check_admin_token();
 
+$nw_subject = isset($_POST['nw_subject']) ? strip_tags($_POST['nw_subject']) : '';
+
 $sql_common = " nw_device = '{$_POST['nw_device']}',
                 nw_begin_time = '{$_POST['nw_begin_time']}',
                 nw_end_time = '{$_POST['nw_end_time']}',
@@ -20,7 +22,7 @@ $sql_common = " nw_device = '{$_POST['nw_device']}',
                 nw_top = '{$_POST['nw_top']}',
                 nw_height = '{$_POST['nw_height']}',
                 nw_width = '{$_POST['nw_width']}',
-                nw_subject = '{$_POST['nw_subject']}',
+                nw_subject = '{$nw_subject}',
                 nw_content = '{$_POST['nw_content']}',
                 nw_content_html = '{$_POST['nw_content_html']}' ";
 
diff --git a/adm/point_update.php b/adm/point_update.php
index 2240e6022..571a1dfa6 100644
--- a/adm/point_update.php
+++ b/adm/point_update.php
@@ -6,9 +6,9 @@ auth_check($auth[$sub_menu], 'w');
 
 check_admin_token();
 
-$mb_id = $_POST['mb_id'];
-$po_point = $_POST['po_point'];
-$po_content = $_POST['po_content'];
+$mb_id = strip_tags($_POST['mb_id']);
+$po_point = strip_tags($_POST['po_point']);
+$po_content = strip_tags($_POST['po_content']);
 $expire = preg_replace('/[^0-9]/', '', $_POST['po_expire_term']);
 
 $mb = get_member($mb_id);
diff --git a/adm/sms_admin/num_book_update.php b/adm/sms_admin/num_book_update.php
index 578c482df..0a13c641f 100644
--- a/adm/sms_admin/num_book_update.php
+++ b/adm/sms_admin/num_book_update.php
@@ -21,6 +21,8 @@ if ($w=='u') // 업데이트
     if (!strlen(trim($bk_name)))
         alert('이름을 입력해주세요');
 
+    $bk_name = strip_tags($bk_name);
+
     if ($bk_hp == '')
         alert('휴대폰번호만 입력 가능합니다.');
 /*
diff --git a/adm/sms_admin/num_book_write.php b/adm/sms_admin/num_book_write.php
index 2e05a4b67..06896f81e 100644
--- a/adm/sms_admin/num_book_write.php
+++ b/adm/sms_admin/num_book_write.php
@@ -30,7 +30,7 @@ if ($w == 'u' && is_numeric($bk_no)) {
     $g5['title'] .= '수정';
 }
 else  {
-    $write['bg_no'] = $bg_no;
+    $write = array('bg_no' => (int) $bg_no);
     $g5['title'] .= '추가';
 }
 
@@ -74,7 +74,7 @@ include_once(G5_ADMIN_PATH."/admin.head.php");
     </tr>
     <tr>
         <th scope="row"><label for="bk_name">이름<strong class="sound_only"> 필수</strong></label></th>
-        <td><input type="text" name="bk_name" id="bk_name" maxlength="50" value="<?php echo $write['bk_name']?>" required class="frm_input required"></td>
+        <td><input type="text" name="bk_name" id="bk_name" maxlength="50" value="<?php echo get_sanitize_input($write['bk_name']); ?>" required class="frm_input required"></td>
     </tr>
     <tr>
         <th scope="row"><label for="bk_hp">휴대폰번호<strong class="sound_only"> 필수</strong></label></th>