From d775d2255fde35631d4c6af03f45620ec5108352 Mon Sep 17 00:00:00 2001
From: thisgun <thisgun@naver.com>
Date: Tue, 27 Jan 2026 05:50:34 +0000
Subject: [PATCH] =?UTF-8?q?[KVE-2026-0029]Stored=20XSS=20=EC=B7=A8?=
 =?UTF-8?q?=EC=95=BD=EC=A0=90=20=EC=88=98=EC=A0=95?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 bbs/write.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/bbs/write.php b/bbs/write.php
index 5efad03e3..39ffcbdf8 100644
--- a/bbs/write.php
+++ b/bbs/write.php
@@ -346,8 +346,10 @@ if ($w == '') {
     }
 
     for($i=0;$i<$file_count;$i++){
-        if(! isset($file[$i])) {
+        if (!isset($file[$i])) {
             $file[$i] = array('file'=>null, 'source'=>null, 'size'=>null, 'bf_content' => null);
+        } else {
+            $file[$i]['bf_content'] = isset($file[$i]['bf_content']) ? htmlspecialchars($file[$i]['bf_content'], ENT_QUOTES, 'UTF-8', false) : null;
         }
     }