[KVE-2019-1424]영카트 Stored XSS 취약점 수정

2019-11-15 18:31:25 +09:00
parent 0d03212fdb
commit b810a24d0a
3 changed files with 7 additions and 1 deletions
--- a/adm/shop_admin/personalpayformupdate.php
+++ b/adm/shop_admin/personalpayformupdate.php
@ -4,6 +4,10 @@ include_once('./_common.php');

 check_admin_token();

+if( isset($_POST['pp_name']) ){
+	$_POST['pp_name'] = strip_tags($_POST['pp_name']);
+}
+
 if($w == 'd') {
    auth_check($auth[$sub_menu], 'd');

--- a/adm/shop_admin/personalpaylist.php
+++ b/adm/shop_admin/personalpaylist.php
@ -115,7 +115,7 @@ $colspan = 10;
            <input type="hidden" id="pp_id_<?php echo $i; ?>" name="pp_id[<?php echo $i; ?>]" value="<?php echo $row['pp_id']; ?>">
            <input type="checkbox" id="chk_<?php echo $i; ?>" name="chk[]" value="<?php echo $i; ?>" title="내역선택">
        </td>
-        <td class="td_left"><?php echo $row['pp_name']; ?></td>
+        <td class="td_left"><?php echo get_text($row['pp_name']); ?></td>
        <td class="td_odrnum3"><?php echo $od_id; ?></td>
        <td class="td_numsum"><?php echo number_format($row['pp_price']); ?></td>
        <td class="td_numincome"><?php echo number_format($row['pp_receipt_price']); ?></td>
--- a/shop/personalpayform.php
+++ b/shop/personalpayform.php
@ -13,6 +13,8 @@ if(!$pp['pp_id'])
 if($pp['pp_tno'])
    alert('이미 결제하신 개인결제 내역입니다.');

+$pp['pp_name'] = strip_tags($pp['pp_name']);
+
 $g5['title'] = $pp['pp_name'].'님 개인결제';

 if(G5_IS_MOBILE)