fix #1583 is_keyword에 대한 취약점 문제 개선

2026-01-08 19:21:40 +09:00 · 2015-07-09 03:51:05 +09:00 · 2015-07-09 03:51:05 +09:00 · 85e9be0c9a
commit 85e9be0c9a
parent a69ebaeabc
4 changed files with 7 additions and 3 deletions
--- a/classes/display/HTMLDisplayHandler.php
+++ b/classes/display/HTMLDisplayHandler.php
@ -60,6 +60,10 @@ class HTMLDisplayHandler

 		$output = $oTemplate->compile($template_path, $tpl_file);

+		// SECISSUE https://github.com/xpressengine/xe-core/issues/1583
+		$oSecurity = new Security();
+		$oSecurity->encodeHTML('is_keyword');
+
 		// add .x div for adminitration pages
 		if(Context::getResponseMethod() == 'HTML')
 		{
--- a/layouts/default/layout.html
+++ b/layouts/default/layout.html
@ -22,7 +22,7 @@
 				<input type="hidden" name="vid" value="{$vid}" />
 				<input type="hidden" name="mid" value="{$mid}" />
 				<input type="hidden" name="act" value="IS" />
-				<input type="text" name="is_keyword" value="{htmlspecialchars($is_keyword, ENT_COMPAT | ENT_HTML401, 'UTF-8', false)}" required placeholder="{$lang->cmd_search}" title="{$lang->cmd_search}" />
+				<input type="text" name="is_keyword" value="{$is_keyword}" required placeholder="{$lang->cmd_search}" title="{$lang->cmd_search}" />
 				<input type="submit" value="{$lang->cmd_search}" />
 			</form>
 			<!-- /SEARCH -->
--- a/layouts/user_layout/layout.html
+++ b/layouts/user_layout/layout.html
@ -6,7 +6,7 @@
 			<input type="hidden" name="vid" value="{$vid}" />
 			<input type="hidden" name="mid" value="{$mid}" />
 			<input type="hidden" name="act" value="IS" />
-			<input type="text" name="is_keyword" value="{htmlspecialchars($is_keyword, ENT_COMPAT | ENT_HTML401, 'UTF-8', false)}" title="{$lang->cmd_search}" />
+			<input type="text" name="is_keyword" value="{$is_keyword}" title="{$lang->cmd_search}" />
 			<input type="submit" value="{$lang->cmd_search}" />
 		</form>
 		<hr />
--- a/layouts/xedition/layout.html
+++ b/layouts/xedition/layout.html
@ -170,7 +170,7 @@
 					<input type="hidden" name="vid" value="{$vid}" />
 					<input type="hidden" name="mid" value="{$mid}" />
 					<input type="hidden" name="act" value="IS" />
-					<input type="text" name="is_keyword" value="{htmlspecialchars($is_keyword, ENT_COMPAT | ENT_HTML401, 'UTF-8', false)}" required="required" title="{$lang->cmd_search}" placeholder="Search" />
+					<input type="text" name="is_keyword" value="{$is_keyword}" required="required" title="{$lang->cmd_search}" placeholder="Search" />
 				</form>
 				<!-- /SEARCH -->
 				<a href="#" class="btn_close" title="{$lang->cmd_xedition_search_close}" onclick="return false"><i class="xi-close"></i><span class="blind">{$lang->cmd_xedition_search_close}</span></a>