#18692685 : prevent CSRF attack

git-svn-id: http://xe-core.googlecode.com/svn/sandbox@7306 201d5d3c-b55e-5fd7-737f-ddc643e51545

modules/comment/comment.item.php

@@ -160,32 +160,6 @@
             return htmlspecialchars($this->get('nick_name'));
         }
 
-        function stripEmbedTagForAdmin(&$content)
-        {
-            if(!Context::get('is_logged')) return;
-            $oModuleModel = &getModel('module');
-            $logged_info = Context::get('logged_info');
-            $writer_member_srl = $this->get('member_srl');
-
-            if($writer_member_srl != $logged_info->member_srl && ($logged_info->is_admin == "Y" || $oModuleModel->isSiteAdmin($logged_info)) )
-            {   
-                if($writer_member_srl)
-                {
-                    $oMemberModel =& getModel('member');
-                    $member_info = $oMemberModel->getMemberInfoByMemberSrl($writer_member_srl);
-                    if($member_info->is_admin == "Y")
-                    {
-                        return;
-                    }
-                }
-                $security_msg = "<div style='border: 1px solid #DDD; background: #FAFAFA; text-align:center; margin: 1em 0;'><p style='margin: 1em;'>".Context::getLang('security_warning_embed')."</p></div>";
-                $content = preg_replace('/<embed[^>]+>(\s*<\/embed>)?/is', $security_msg, $content);
-                $content = preg_replace('/<img[^>]+editor_component="multimedia_link"[^>]*>(\s*<\/img>)?/is', $security_msg, $content);
-            }
-
-            return;
-        }
-
         function getContentText($strlen = 0) {
             if($this->isSecret() && !$this->isAccessible()) return Context::getLang('msg_is_secret');
 
@@ -200,7 +174,7 @@
             if($this->isSecret() && !$this->isAccessible()) return Context::getLang('msg_is_secret');
 
             $content = $this->get('content');
-            $this->stripEmbedTagForAdmin($content);
+            stripEmbedTagForAdmin($content, $this->get('member_srl'));
 
             // 이 댓글을... 팝업메뉴를 출력할 경우
             if($add_popup_menu && Context::get('is_logged') ) {

modules/communication/communication.view.php

@@ -43,7 +43,10 @@
             // message_srl이 있으면 내용 추출
             if($message_srl) {
                 $message = $oCommunicationModel->getSelectedMessage($message_srl);
-                if($message->message_srl == $message_srl && ($message->receiver_srl == $logged_info->member_srl || $message->sender_srl == $logged_info->member_srl) ) Context::set('message', $message);
+                if($message->message_srl == $message_srl && ($message->receiver_srl == $logged_info->member_srl || $message->sender_srl == $logged_info->member_srl) ) {
+					stripEmbedTagForAdmin($message->content, $message->sender_srl);
+					Context::set('message', $message);
+				}
             }
 
             // 목록 추출
@@ -73,7 +76,10 @@
 
             // 새 쪽지를 가져옴
             $message = $oCommunicationModel->getNewMessage();
-            if($message) Context::set('message', $message);
+            if($message) {
+				stripEmbedTagForAdmin($message->content, $message->sender_srl);
+				Context::set('message', $message);
+			}
             
             // 플래그 삭제
             $flag_path = './files/communication_extra_info/new_message_flags/'.getNumberingPath($logged_info->member_srl);

modules/document/document.item.php

@@ -251,32 +251,6 @@
             return htmlspecialchars($content);
         }
 
-        function stripEmbedTagForAdmin(&$content)
-        {
-            if(!Context::get('is_logged')) return;
-            $oModuleModel = &getModel('module');
-            $logged_info = Context::get('logged_info');
-            $writer_member_srl = $this->get('member_srl');
-
-            if($writer_member_srl != $logged_info->member_srl && ($logged_info->is_admin == "Y" || $oModuleModel->isSiteAdmin($logged_info)) )
-            {   
-                if($writer_member_srl)
-                {
-                    $oMemberModel =& getModel('member');
-                    $member_info = $oMemberModel->getMemberInfoByMemberSrl($writer_member_srl);
-                    if($member_info->is_admin == "Y")
-                    {
-                        return;
-                    }
-                }
-                $security_msg = "<div style='border: 1px solid #DDD; background: #FAFAFA; text-align:center; margin: 1em 0;'><p style='margin: 1em;'>".Context::getLang('security_warning_embed')."</p></div>";
-                $content = preg_replace('/<embed[^>]+>(\s*<\/embed>)?/is', $security_msg, $content);
-                $content = preg_replace('/<img[^>]+editor_component="multimedia_link"[^>]*>(\s*<\/img>)?/is', $security_msg, $content);
-            }
-
-            return;
-        }
-
         function getContent($add_popup_menu = true, $add_content_info = true, $resource_realpath = false, $add_xe_content_class = true) {
             if(!$this->document_srl) return;
 
@@ -285,7 +259,7 @@
             $_SESSION['accessible'][$this->document_srl] = true;
 
             $content = $this->get('content');
-            $this->stripEmbedTagForAdmin($content);
+            stripEmbedTagForAdmin($content, $this->get('member_srl'));
 
             // rewrite모듈을 사용하면 링크 재정의
             $oContext = &Context::getInstance();