diff --git a/adm/sms_admin/form_write.php b/adm/sms_admin/form_write.php
index 603bd2c03..a8a8816cd 100644
--- a/adm/sms_admin/form_write.php
+++ b/adm/sms_admin/form_write.php
@@ -145,7 +145,7 @@ include_once(G5_ADMIN_PATH.'/admin.head.php');
diff --git a/adm/sms_admin/num_book.php b/adm/sms_admin/num_book.php
index 1e31e18b5..9813ea938 100644
--- a/adm/sms_admin/num_book.php
+++ b/adm/sms_admin/num_book.php
@@ -142,7 +142,7 @@ function no_hp_click(val)
-
+
diff --git a/adm/sms_admin/num_book_write.php b/adm/sms_admin/num_book_write.php
index 7bfe367c5..68bf45bbd 100644
--- a/adm/sms_admin/num_book_write.php
+++ b/adm/sms_admin/num_book_write.php
@@ -130,7 +130,7 @@ include_once(G5_ADMIN_PATH."/admin.head.php");
diff --git a/bbs/download.php b/bbs/download.php
index e83a21e69..c94923db0 100644
--- a/bbs/download.php
+++ b/bbs/download.php
@@ -25,8 +25,8 @@ if (!$file['bf_file'])
// JavaScript 불가일 때
if($js != 'on' && $board['bo_download_point'] < 0) {
$msg = $file['bf_source'].' 파일을 다운로드 하시면 포인트가 차감('.number_format($board['bo_download_point']).'점)됩니다.\\n포인트는 게시물당 한번만 차감되며 다음에 다시 다운로드 하셔도 중복하여 차감하지 않습니다.\\n그래도 다운로드 하시겠습니까?';
- $url1 = G5_BBS_URL.'/download.php?'.$_SERVER['QUERY_STRING'].'&js=on';
- $url2 = $_SERVER['HTTP_REFERER'];
+ $url1 = G5_BBS_URL.'/download.php?'.clean_query_string($_SERVER['QUERY_STRING']).'&js=on';
+ $url2 = clean_xss_tags($_SERVER['HTTP_REFERER']);
//$url1 = 확인link, $url2=취소link
// 특정주소로 이동시키려면 $url3 이용
diff --git a/lib/common.lib.php b/lib/common.lib.php
index 47ea9000e..5e0c46a66 100644
--- a/lib/common.lib.php
+++ b/lib/common.lib.php
@@ -2884,4 +2884,88 @@ function check_url_host($url, $msg='', $return_url=G5_URL)
}
}
}
+
+// QUERY STRING 에 포함된 XSS 태그 제거
+function clean_query_string($query, $amp=true)
+{
+ $qstr = trim($query);
+
+ parse_str($qstr, $out);
+
+ if(is_array($out)) {
+ $q = array();
+
+ foreach($out as $key=>$val) {
+ $key = trim($key);
+ $val = trim($val);
+
+ switch($key) {
+ case 'wr_id':
+ $val = (int)preg_replace('/[^0-9]/', '', $val);
+ $q[$key] = $val;
+ break;
+ case 'sca':
+ $val = clean_xss_tags($val);
+ $q[$key] = $val;
+ break;
+ case 'sfl':
+ $val = preg_replace("/[\<\>\'\"\\\'\\\"\%\=\(\)\s]/", "", $val);
+ $q[$key] = $val;
+ break;
+ case 'stx':
+ $val = get_search_string($val);
+ $q[$key] = $val;
+ break;
+ case 'sst':
+ $val = preg_replace("/[\<\>\'\"\\\'\\\"\%\=\(\)\s]/", "", $val);
+ $q[$key] = $val;
+ break;
+ case 'sod':
+ $val = preg_match("/^(asc|desc)$/i", $val) ? $val : '';
+ $q[$key] = $val;
+ break;
+ case 'sop':
+ $val = preg_match("/^(or|and)$/i", $val) ? $val : '';
+ $q[$key] = $val;
+ break;
+ case 'spt':
+ $val = (int)preg_replace('/[^0-9]/', '', $val);
+ $q[$key] = $val;
+ break;
+ case 'page':
+ $val = (int)preg_replace('/[^0-9]/', '', $val);
+ $q[$key] = $val;
+ break;
+ case 'w':
+ $val = substr($val, 0, 2);
+ $q[$key] = $val;
+ break;
+ case 'bo_table':
+ $val = preg_replace('/[^a-z0-9_]/i', '', $val);
+ $val = substr($val, 0, 20);
+ $q[$key] = $val;
+ break;
+ case 'gr_id':
+ $val = preg_replace('/[^a-z0-9_]/i', '', $val);
+ $q[$key] = $val;
+ break;
+ default:
+ $val = clean_xss_tags($val);
+ $q[$key] = $val;
+ break;
+ }
+ }
+
+ if($amp)
+ $sep = '&';
+ else
+ $sep ='&';
+
+ $str = http_build_query($q, '', $sep);
+ } else {
+ $str = clean_xss_tags($qstr);
+ }
+
+ return $str;
+}
?>
\ No newline at end of file
diff --git a/mobile/skin/board/basic/view_comment.skin.php b/mobile/skin/board/basic/view_comment.skin.php
index d3aa7fe05..c6984f652 100644
--- a/mobile/skin/board/basic/view_comment.skin.php
+++ b/mobile/skin/board/basic/view_comment.skin.php
@@ -50,7 +50,7 @@ var char_max = parseInt(); // 최대
); // 최대
); // 최대
); // 최대