From bc5779fafbd9a363b0b392c2b30b03f70d1b87f8 Mon Sep 17 00:00:00 2001
From: thisgun <thisgun@naver.com>
Date: Fri, 16 Nov 2018 17:54:57 +0900
Subject: [PATCH] =?UTF-8?q?KVE-2018-1316=20=EA=B7=B8=EB=88=84=EB=B3=B4?=
 =?UTF-8?q?=EB=93=9C,=EC=98=81=EC=B9=B4=ED=8A=B8=20=EC=B7=A8=EC=95=BD?=
 =?UTF-8?q?=EC=A0=90=20=EC=88=98=EC=A0=95?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 bbs/confirm.php        | 6 +++---
 bbs/member_confirm.php | 9 +++++++--
 lib/common.lib.php     | 2 ++
 3 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/bbs/confirm.php b/bbs/confirm.php
index fcf94e0e9..a80f5eab1 100644
--- a/bbs/confirm.php
+++ b/bbs/confirm.php
@@ -2,9 +2,9 @@
 include_once('./_common.php');
 include_once(G5_PATH.'/head.sub.php');
 
-$url1 = clean_xss_tags($url1);
-$url2 = clean_xss_tags($url2);
-$url3 = clean_xss_tags($url3);
+$url1 = preg_replace("/[\<\>\'\"\\\'\\\"\(\)]/", "", clean_xss_tags($url1));
+$url2 = preg_replace("/[\<\>\'\"\\\'\\\"\(\)]/", "", clean_xss_tags($url2));
+$url3 = preg_replace("/[\<\>\'\"\\\'\\\"\(\)]/", "", clean_xss_tags($url3));
 
 // url 체크
 check_url_host($url1);
diff --git a/bbs/member_confirm.php b/bbs/member_confirm.php
index 722a78302..e3fc28498 100644
--- a/bbs/member_confirm.php
+++ b/bbs/member_confirm.php
@@ -24,10 +24,15 @@ include_once('./_head.sub.php');
 // url 체크
 check_url_host($url, '', G5_URL, true);
 
-if( preg_match('#^/{3,}#', $url) ){
-    $url = preg_replace('#^/{3,}#', '/', $url);
+if($url){
+    $url = preg_replace('#^/\\\{1,}#', '/', $url);
+
+    if( preg_match('#^/{3,}#', $url) ){
+        $url = preg_replace('#^/{3,}#', '/', $url);
+    }
 }
 
+
 $url = get_text($url);
 
 include_once($member_skin_path.'/member_confirm.skin.php');
diff --git a/lib/common.lib.php b/lib/common.lib.php
index c12ff17e3..5391220b6 100644
--- a/lib/common.lib.php
+++ b/lib/common.lib.php
@@ -2885,6 +2885,8 @@ function clean_xss_tags($str)
 {
     $str = preg_replace('#</*(?:applet|b(?:ase|gsound|link)|embed|frame(?:set)?|i(?:frame|layer)|l(?:ayer|ink)|meta|object|s(?:cript|tyle)|title|xml)[^>]*+>#i', '', $str);
 
+    $str = str_replace(array('<script>','</script>','<noscript>','</noscript>'), '', $str);
+
     return $str;
 }