From 05fc125a0fa86de1dbf39eaf2da69f9a2dbdd269 Mon Sep 17 00:00:00 2001 From: Kijin Sung Date: Wed, 6 May 2015 10:40:18 +0900 Subject: [PATCH] =?UTF-8?q?=EC=A0=95=EB=B3=B4=EC=88=98=EC=A0=95=EC=8B=9C?= =?UTF-8?q?=EC=97=90=EB=8F=84=20=EB=A7=88=EC=B0=AC=EA=B0=80=EC=A7=80?= =?UTF-8?q?=EB=A1=9C=20=EC=A4=91=EB=B3=B5=EC=B2=B4=ED=81=AC=20=EC=A0=84?= =?UTF-8?q?=EC=97=90=20htmlspecialchars=20=EC=A0=81=EC=9A=A9?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- modules/member/member.controller.php | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/modules/member/member.controller.php b/modules/member/member.controller.php index 73bd004d4..62772a0d2 100644 --- a/modules/member/member.controller.php +++ b/modules/member/member.controller.php @@ -2168,6 +2168,15 @@ class memberController extends member } } + // Sanitize user ID, username, nickname, homepage, blog + $args->user_id = htmlspecialchars($args->user_id, ENT_COMPAT | ENT_HTML401, 'UTF-8', false); + $args->user_name = htmlspecialchars($args->user_name, ENT_COMPAT | ENT_HTML401, 'UTF-8', false); + $args->nick_name = htmlspecialchars($args->nick_name, ENT_COMPAT | ENT_HTML401, 'UTF-8', false); + $args->homepage = htmlspecialchars($args->homepage, ENT_COMPAT | ENT_HTML401, 'UTF-8', false); + $args->blog = htmlspecialchars($args->blog, ENT_COMPAT | ENT_HTML401, 'UTF-8', false); + if($args->homepage && !preg_match("/^[a-z]+:\/\//is",$args->homepage)) $args->homepage = 'http://'.$args->homepage; + if($args->blog && !preg_match("/^[a-z]+:\/\//is",$args->blog)) $args->blog = 'http://'.$args->blog; + // check member identifier form $config = $oMemberModel->getMemberConfig(); @@ -2198,15 +2207,6 @@ class memberController extends member if($member_srl && $orgMemberInfo->nick_name != $args->nick_name) return new Object(-1,'msg_exists_nick_name'); list($args->email_id, $args->email_host) = explode('@', $args->email_address); - // Website, blog, checks the address - $args->user_id = htmlspecialchars($args->user_id, ENT_COMPAT | ENT_HTML401, 'UTF-8', false); - $args->user_name = htmlspecialchars($args->user_name, ENT_COMPAT | ENT_HTML401, 'UTF-8', false); - $args->nick_name = htmlspecialchars($args->nick_name, ENT_COMPAT | ENT_HTML401, 'UTF-8', false); - $args->homepage = htmlspecialchars($args->homepage, ENT_COMPAT | ENT_HTML401, 'UTF-8', false); - $args->blog = htmlspecialchars($args->blog, ENT_COMPAT | ENT_HTML401, 'UTF-8', false); - if($args->homepage && !preg_match("/^[a-z]+:\/\//is",$args->homepage)) $args->homepage = 'http://'.$args->homepage; - if($args->blog && !preg_match("/^[a-z]+:\/\//is",$args->blog)) $args->blog = 'http://'.$args->blog; - $oDB = &DB::getInstance(); $oDB->begin();