diff --git a/adm/menu_form.php b/adm/menu_form.php index ce10a176b..20c2a9533 100644 --- a/adm/menu_form.php +++ b/adm/menu_form.php @@ -117,6 +117,15 @@ if ($new == 'new' || !$code) { }); }); + function htmlEscape(str) { + return str + .replace(/&/g, '&') + .replace(//g, '>') + .replace(/"/g, '"') + .replace(/'/g, '''); + } + function add_menu_list(name, link, code) { var $menulist = $("#menulist", opener.document); var ms = new Date().getTime(); @@ -126,7 +135,10 @@ if ($new == 'new' || !$code) { sub_menu_class = " class=\"td_category sub_menu_class\""; - + + name = htmlEscape(name); + link = htmlEscape(link); + var list = "\">"; list += ""; list += ""; diff --git a/bbs/register_form_update.php b/bbs/register_form_update.php index 08cd81ead..2617aa4ce 100644 --- a/bbs/register_form_update.php +++ b/bbs/register_form_update.php @@ -64,15 +64,15 @@ $mb_8 = isset($_POST['mb_8']) ? trim($_POST['mb_8']) $mb_9 = isset($_POST['mb_9']) ? trim($_POST['mb_9']) : ""; $mb_10 = isset($_POST['mb_10']) ? trim($_POST['mb_10']) : ""; -$mb_name = clean_xss_tags($mb_name); +$mb_name = clean_xss_tags($mb_name, 1, 1); $mb_email = get_email_address($mb_email); -$mb_homepage = clean_xss_tags($mb_homepage); -$mb_tel = clean_xss_tags($mb_tel); +$mb_homepage = clean_xss_tags($mb_homepage, 1, 1); +$mb_tel = clean_xss_tags($mb_tel, 1, 1); $mb_zip1 = preg_replace('/[^0-9]/', '', $mb_zip1); $mb_zip2 = preg_replace('/[^0-9]/', '', $mb_zip2); -$mb_addr1 = clean_xss_tags($mb_addr1); -$mb_addr2 = clean_xss_tags($mb_addr2); -$mb_addr3 = clean_xss_tags($mb_addr3); +$mb_addr1 = clean_xss_tags($mb_addr1, 1, 1); +$mb_addr2 = clean_xss_tags($mb_addr2, 1, 1); +$mb_addr3 = clean_xss_tags($mb_addr3, 1, 1); $mb_addr_jibeon = preg_match("/^(N|R)$/", $mb_addr_jibeon) ? $mb_addr_jibeon : ''; run_event('register_form_update_before', $mb_id, $w);