diff --git a/admin/help/index.html b/admin/help/index.html
index e6c72b4b3..a97e714c1 100644
--- a/admin/help/index.html
+++ b/admin/help/index.html
@@ -441,6 +441,23 @@ body,table,input,textarea,select,button{font-family:나눔고딕,NanumGothic,NG,
파일박스를 관리할 수 있습니다. 파일박스는 관리자가 재사용할 수 있는 이미지 파일을 관리하는 기능입니다. 회원 그룹 아이콘을 등록하면 이미지 파일은 파일박스에 업로드됩니다.
+
+ embed Filter
+ <iframe> 또는 <object>, <embed> 태그에 허용 할 URL을 지정할 수 있습니다.
주로 domain을 포함한 URL을 지정하여 허용 URL을 지정할 수 있습니다.
+ domain을 포함하지 않은 짧거나 단순한 단어('video', 'swf' 등)만을 지정할 경우 손쉽게 악의적인 접근을 시도할 수 있으니 주의해야 합니다.
+
+ - iFrame
+ -
+
<iframe> 태그에 허용 할 URL을 지정할 수 있습니다.
+ 예시 : 'http://www.youtube.com/v/...'와 같은 URL을 <iframe>에 허용 하려면 'http://www.youtube.com/v/'처럼 입력하면 됩니다.
+
+ - object / embed
+ -
+
<object>, <embed> 태그에 허용 할 URL을 지정할 수 있습니다.
+ 주로 domain을 포함한 URL을 지정하여 허용 URL을 지정할 수 있습니다.
예시 : 'http://www.youtube.com/v/...'와 같은 URL을 <object>, <embed>에 허용 하려면 'http://www.youtube.com/v/'처럼 입력하면 됩니다.
+
+
+
고급
diff --git a/classes/security/EmbedFilter.class.php b/classes/security/EmbedFilter.class.php
index a4c98ded0..42d6539ad 100644
--- a/classes/security/EmbedFilter.class.php
+++ b/classes/security/EmbedFilter.class.php
@@ -590,37 +590,55 @@ class EmbedFilter
/**
* Make white domain list cache file from xml config file.
+ * @param $whitelist array
* @return void
*/
- function _makeWhiteDomainList()
+ function _makeWhiteDomainList($whitelist = NULL)
{
$whiteUrlXmlFile = FileHandler::getRealPath($this->whiteUrlXmlFile);
$whiteUrlCacheFile = FileHandler::getRealPath($this->whiteUrlCacheFile);
- $isMake = false;
+ $isMake = FALSE;
if(!file_exists($whiteUrlCacheFile))
{
- $isMake = true;
+ $isMake = TRUE;
}
if(file_exists($whiteUrlCacheFile) && filemtime($whiteUrlCacheFile) < filemtime($whiteUrlXmlFile))
{
- $isMake = true;
+ $isMake = TRUE;
+ }
+
+ if(gettype($whitelist) == 'array' && gettype($whitelist['object']) == 'array' && gettype($whitelist['iframe']) == 'array')
+ {
+ $isMake = FALSE;
+ }
+
+ if(isset($whitelist) && gettype($whitelist) == 'object')
+ {
+ $isMake = TRUE;
}
if($isMake)
{
- $xmlBuff = FileHandler::readFile($this->whiteUrlXmlFile);
+ $whiteUrlList = array();
+ $whiteIframeUrlList = array();
- $xmlParser = new XmlParser();
- $domainListObj = $xmlParser->parse($xmlBuff);
- $embedDomainList = $domainListObj->whiteurl->embed->domain;
- $iframeDomainList = $domainListObj->whiteurl->iframe->domain;
-
- $buff = 'object) == 'array' && gettype($whitelist->iframe) == 'array')
{
+ $whiteUrlList = $whitelist->object;
+ $whiteIframeUrlList = $whitelist->iframe;
+ }
+ else
+ {
+ $xmlBuff = FileHandler::readFile($this->whiteUrlXmlFile);
+
+ $xmlParser = new XmlParser();
+ $domainListObj = $xmlParser->parse($xmlBuff);
+ $embedDomainList = $domainListObj->whiteurl->embed->domain;
+ $iframeDomainList = $domainListObj->whiteurl->iframe->domain;
+ if(!is_array($embedDomainList)) $embedDomainList = array();
+ if(!is_array($iframeDomainList)) $iframeDomainList = array();
+
foreach($embedDomainList AS $key => $value)
{
$patternList = $value->pattern;
@@ -628,16 +646,15 @@ class EmbedFilter
{
foreach($patternList AS $key => $value)
{
- $buff .= sprintf('$whiteUrlList[] = \'%s\';', $value->body);
+ $whiteUrlList[] = $value->body;
}
}
else
- $buff .= sprintf('$whiteUrlList[] = \'%s\';', $patternList->body);
+ {
+ $whiteUrlList[] = $patternList->body;
+ }
}
- }
- if(is_array($iframeDomainList))
- {
foreach($iframeDomainList AS $key => $value)
{
$patternList = $value->pattern;
@@ -645,20 +662,39 @@ class EmbedFilter
{
foreach($patternList AS $key => $value)
{
- $buff .= sprintf('$whiteIframeUrlList[] = \'%s\';', $value->body);
+ $whiteIframeUrlList[] = $value->body;
}
}
else
- $buff .= sprintf('$whiteIframeUrlList[] = \'%s\';', $patternList->body);
+ {
+ $whiteIframeUrlList[] = $patternList->body;
+ }
}
}
- if(Context::getDefaultUrl())
+ $db_info = Context::getDBInfo();
+
+ if($db_info->embed_white_object)
{
- $buff .= sprintf('$whiteIframeUrlList[] = \'%s\';', Context::getDefaultUrl());
+ $whiteUrlList = array_merge($whiteUrlList, $db_info->embed_white_object);
}
- $buff .= '?>';
- FileHandler::writeFile($this->whiteUrlCacheFile, $buff);
+
+ if($db_info->embed_white_iframe)
+ {
+ $whiteIframeUrlList = array_merge($whiteIframeUrlList, $db_info->embed_white_iframe);
+ }
+
+ $whiteUrlList = array_unique($whiteUrlList);
+ $whiteIframeUrlList = array_unique($whiteIframeUrlList);
+ asort($whiteUrlList);
+ asort($whiteIframeUrlList);
+
+ $buff = array();
+ $buff[] = 'whiteUrlCacheFile, implode(PHP_EOL, $buff));
}
}
diff --git a/modules/admin/admin.admin.controller.php b/modules/admin/admin.admin.controller.php
index 04bcdf3ac..cd03fe6e1 100644
--- a/modules/admin/admin.admin.controller.php
+++ b/modules/admin/admin.admin.controller.php
@@ -490,7 +490,7 @@ class adminAdminController extends admin
$db_info->use_sitelock = ($vars->use_sitelock) ? $vars->use_sitelock : 'N';
$db_info->sitelock_title = $vars->sitelock_title;
$db_info->sitelock_message = $vars->sitelock_message;
-
+
$whitelist = $vars->sitelock_whitelist;
$whitelist = preg_replace("/[\r|\n|\r\n]+/",",",$whitelist);
$whitelist = preg_replace("/\s+/","",$whitelist);
@@ -505,16 +505,15 @@ class adminAdminController extends admin
if(!IpFilter::validate($whitelist)) {
return new Object(-1, 'msg_invalid_ip');
}
-
+
$db_info->sitelock_whitelist = $whitelist;
-
+
$oInstallController = getController('install');
if(!$oInstallController->makeConfigFile())
{
return new Object(-1, 'msg_invalid_request');
}
-
if(!in_array(Context::getRequestMethod(), array('XMLRPC','JSON')))
{
$returnUrl = Context::get('success_return_url');
@@ -522,12 +521,50 @@ class adminAdminController extends admin
header('location:' . $returnUrl);
return;
}
-
-
-
-
-
+ }
+ function procAdminUpdateEmbedWhitelist()
+ {
+ $vars = Context::getRequestVars();
+
+ $db_info = Context::getDbInfo();
+
+ $white_object = $vars->embed_white_object;
+ $white_object = preg_replace("/[\r\n|\r|\n]+/", '|@|', $white_object);
+ $white_object = preg_replace("/[\s\'\"]+/", '', $white_object);
+ $white_object = explode('|@|', $white_object);
+ $white_object = array_unique($white_object);
+
+ $white_iframe = $vars->embed_white_iframe;
+ $white_iframe = preg_replace("/[\r\n|\r|\n]+/", '|@|', $white_iframe);
+ $white_iframe = preg_replace("/[\s\'\"]+/", '', $white_iframe);
+ $white_iframe = explode('|@|', $white_iframe);
+ $white_iframe = array_unique($white_iframe);
+
+ $whitelist = new stdClass;
+ $whitelist->object = $white_object;
+ $whitelist->iframe = $white_iframe;
+
+ $db_info->embed_white_object = $white_object;
+ $db_info->embed_white_iframe = $white_iframe;
+
+ $oInstallController = getController('install');
+ if(!$oInstallController->makeConfigFile())
+ {
+ return new Object(-1, 'msg_invalid_request');
+ }
+
+ require_once(_XE_PATH_ . 'classes/security/EmbedFilter.class.php');
+ $oEmbedFilter = EmbedFilter::getInstance();
+ $oEmbedFilter->_makeWhiteDomainList($whitelist);
+
+ if(!in_array(Context::getRequestMethod(), array('XMLRPC','JSON')))
+ {
+ $returnUrl = Context::get('success_return_url');
+ if(!$returnUrl) $returnUrl = getNotEncodedUrl('', 'act', 'dispAdminConfigGeneral');
+ header('location:' . $returnUrl);
+ return;
+ }
}
}
diff --git a/modules/admin/admin.admin.view.php b/modules/admin/admin.admin.view.php
index 6fdbe1286..97a14c6de 100644
--- a/modules/admin/admin.admin.view.php
+++ b/modules/admin/admin.admin.view.php
@@ -446,6 +446,11 @@ class adminAdminView extends admin
Context::set('siteTitle', $config->siteTitle);
Context::set('htmlFooter', $config->htmlFooter);
+ // embed filter
+ require_once(_XE_PATH_ . 'classes/security/EmbedFilter.class.php');
+ $oEmbedFilter = EmbedFilter::getInstance();
+ context::set('embed_white_object', implode(PHP_EOL, $oEmbedFilter->whiteUrlList));
+ context::set('embed_white_iframe', implode(PHP_EOL, $oEmbedFilter->whiteIframeUrlList));
$columnList = array('modules.mid', 'modules.browser_title', 'sites.index_module_srl');
$start_module = $oModuleModel->getSiteInfo(0, $columnList);
diff --git a/modules/admin/conf/module.xml b/modules/admin/conf/module.xml
index 778e18cbe..109c669f7 100644
--- a/modules/admin/conf/module.xml
+++ b/modules/admin/conf/module.xml
@@ -19,6 +19,7 @@
+
diff --git a/modules/admin/tpl/config_general.html b/modules/admin/tpl/config_general.html
index bc5c5a68d..d6c55fd82 100644
--- a/modules/admin/tpl/config_general.html
+++ b/modules/admin/tpl/config_general.html
@@ -131,6 +131,38 @@
+
+
+
+ embed Filter {$lang->subtitle_embed_whitelist} {$lang->help}
+
+
+
+
{$lang->subtitle_advanced}