KVE-2018-0979 그누보드 영카트 lgxpay XSS 취약점 수정

2018-11-16 10:55:56 +09:00
parent ad2419026a
commit e7caff2e63
2 changed files with 4 additions and 0 deletions
--- a/plugin/lgxpay/AuthOnlyReq.php
+++ b/plugin/lgxpay/AuthOnlyReq.php
@ -165,6 +165,8 @@ $_SESSION['lgd_certify'] = $payReqMap;
 <input type="hidden" name="LGD_ENCODING" value="UTF-8"/>
 <?php
 foreach ($payReqMap as $key => $value) {
+    $key = htmlspecialchars(strip_tags($key));
+    $value = htmlspecialchars(strip_tags($value));
    echo "<input type='hidden' name='$key' id='$key' value='$value'/>".PHP_EOL;
 }
 ?>
--- a/plugin/lgxpay/returnurl.php
+++ b/plugin/lgxpay/returnurl.php
@ -57,6 +57,8 @@ $payReqMap = $_SESSION['lgd_certify'];//결제 요청시, Session에 저장했
 <form method="post" name="LGD_RETURNINFO" id="LGD_RETURNINFO">
 <?php
 	  foreach ($payReqMap as $key => $value) {
+        $key = htmlspecialchars(strip_tags($key));
+        $value = htmlspecialchars(strip_tags($value));
      echo "<input type='hidden' name='$key' id='$key' value='$value'>";
    }
 ?>