From 109949c8a1e2d6c9211d086f36c2dbc766c8fe7e Mon Sep 17 00:00:00 2001
From: Kijin Sung <kijin@kijinsung.com>
Date: Wed, 29 Apr 2026 17:51:02 +0900
Subject: [PATCH 1/3] Fix insufficient escape in autolink addon RVE-2026-9

---
 addons/autolink/autolink.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/addons/autolink/autolink.js b/addons/autolink/autolink.js
index b2c5534c5..d2affb61d 100644
--- a/addons/autolink/autolink.js
+++ b/addons/autolink/autolink.js
@@ -36,7 +36,7 @@
 			var content  = textNode.nodeValue;
 			var dummy    = $('<span>');
 
-			content = content.replace(/</g, '&lt;').replace(/>/g, '&gt;');
+			content = content.escape();
 			content = content.replace(url_regex, function(match, p1, offset, string) {
 				var match;
 				var suffix = '';
@@ -107,5 +107,5 @@
 			$this.attr("target", "_blank");
 		}
 	});
-	
+
 })(jQuery);

From 1033cc33a7f14356f339fc12377bcf7f5661998c Mon Sep 17 00:00:00 2001
From: Kijin Sung <kijin@kijinsung.com>
Date: Thu, 7 May 2026 17:10:14 +0900
Subject: [PATCH 2/3] Fix undefined variable error in PHP 8

---
 modules/layout/layout.view.php | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/modules/layout/layout.view.php b/modules/layout/layout.view.php
index b83713a16..5fbb4936e 100644
--- a/modules/layout/layout.view.php
+++ b/modules/layout/layout.view.php
@@ -301,6 +301,9 @@ class LayoutView extends Layout
 		Context::set('skin_type', null);
 		Context::set('skin_vars', null);
 
+		// Set dummy variable
+		Context::set('layout_info', Context::get('layout_info') ?: new stdClass());
+
 		// Proc module
 		$oModule = $oModuleHandler->procModule();
 		if(!$oModule->toBool())

From abda55c926109073243aac14556b6fcfcc668a4d Mon Sep 17 00:00:00 2001
From: Kijin Sung <kijin@kijinsung.com>
Date: Thu, 7 May 2026 17:17:35 +0900
Subject: [PATCH 3/3] Remove dispLayoutPreview

---
 modules/layout/conf/module.xml        |  1 -
 modules/layout/layout.view.php        | 70 ---------------------------
 modules/layout/tpl/js/adminEdit.js    | 13 -----
 modules/layout/tpl/js/layout_admin.js | 10 ----
 modules/layout/tpl/layout_edit.html   |  1 -
 5 files changed, 95 deletions(-)

diff --git a/modules/layout/conf/module.xml b/modules/layout/conf/module.xml
index b5278c856..a01b9eb0f 100644
--- a/modules/layout/conf/module.xml
+++ b/modules/layout/conf/module.xml
@@ -2,7 +2,6 @@
 <module>
 	<grants />
 	<actions>
-		<action name="dispLayoutPreview" type="view" permission="root" meta-noindex="true" />
 		<action name="dispLayoutPreviewWithModule" type="view" permission="root" meta-noindex="true" />
 		<action name="getLayoutInstanceListForJSONP" type="model" permission="root" />
 
diff --git a/modules/layout/layout.view.php b/modules/layout/layout.view.php
index 5fbb4936e..c68cf527c 100644
--- a/modules/layout/layout.view.php
+++ b/modules/layout/layout.view.php
@@ -317,76 +317,6 @@ class LayoutView extends Layout
 		return $handler->toDoc($oModule);
 	}
 
-	/**
-	 * Preview a layout
-	 * @return void|Object (void : success, Object : fail)
-	 */
-	function dispLayoutPreview()
-	{
-		if(!Rhymix\Framework\Security::checkCSRF())
-		{
-			throw new Rhymix\Framework\Exceptions\InvalidRequest;
-		}
-
-		// admin check
-		// this act is admin view but in normal view because do not load admin css/js files
-		$logged_info = Context::get('logged_info');
-		if($logged_info->is_admin != 'Y') throw new Rhymix\Framework\Exceptions\InvalidRequest;
-
-		$layout_srl = Context::get('layout_srl');
-		$code = Context::get('code');
-
-		$code_css = Context::get('code_css');
-		if(!$layout_srl || !$code) throw new Rhymix\Framework\Exceptions\InvalidRequest;
-		// Get the layout information
-		$oLayoutModel = getModel('layout');
-		$layout_info = $oLayoutModel->getLayout($layout_srl);
-		if(!$layout_info) throw new Rhymix\Framework\Exceptions\InvalidRequest;
-		// Separately handle the layout if its type is faceoff
-		if($layout_info && $layout_info->type == 'faceoff') $oLayoutModel->doActivateFaceOff($layout_info);
-		// Apply CSS directly
-		Context::addHtmlHeader("<style type=\"text/css\" charset=\"UTF-8\">".$code_css."</style>");
-		// Set names and values of extra_vars to $layout_info
-		if($layout_info->extra_var_count)
-		{
-			foreach($layout_info->extra_var as $var_id => $val)
-			{
-				$layout_info->{$var_id} = $val->value;
-			}
-		}
-		// menu in layout information becomes an argument for Context:: set
-		if($layout_info->menu_count)
-		{
-			foreach($layout_info->menu as $menu_id => $menu)
-			{
-				$menu->php_file = FileHandler::getRealPath($menu->php_file);
-				if(FileHandler::exists($menu->php_file)) include($menu->php_file);
-
-				Context::set($menu_id, $menu);
-			}
-		}
-
-		Context::set('layout_info', $layout_info);
-		Context::set('content', lang('layout_preview_content'));
-		// Temporary save the codes
-		$edited_layout_file = RX_BASEDIR . 'files/cache/layout/tmp.tpl';
-		FileHandler::writeFile($edited_layout_file, $code);
-
-		// Compile
-		$oTemplate = TemplateHandler::getInstance();
-
-		$layout_path = $layout_info->path;
-		$layout_file = 'layout';
-
-		$layout_tpl = $oTemplate->compile($layout_path, $layout_file, $edited_layout_file);
-		Context::set('layout','none');
-		// Convert widgets and others
-		Context::set('layout_tpl', $layout_tpl);
-		// Delete Temporary Files
-		FileHandler::removeFile($edited_layout_file);
-		$this->setTemplateFile('layout_preview');
-	}
-
 	private function getRealLayoutFile($layoutSrl)
 	{
 		$oLayoutModel = getModel('layout');
diff --git a/modules/layout/tpl/js/adminEdit.js b/modules/layout/tpl/js/adminEdit.js
index b8defafb7..bcb1971e1 100644
--- a/modules/layout/tpl/js/adminEdit.js
+++ b/modules/layout/tpl/js/adminEdit.js
@@ -1,16 +1,3 @@
-function doPreviewLayoutCode()
-{
-	var $form = jQuery('#fo_layout'), $act = $form.find('input[name=act]');
-	var og_act = $act.val();
-
-	$form.attr('target', '_LayoutPreview');
-	$act.val('dispLayoutPreview');
-	$form.submit();
-
-	$form.removeAttr('target');
-	$act.val(og_act);
-}
-
 $(function() {
 	$('.reset_layout').on('click', function(e) {
 		var msg = $(this).data('confirmationMsg');
diff --git a/modules/layout/tpl/js/layout_admin.js b/modules/layout/tpl/js/layout_admin.js
index f2e4c7cf8..7a2099b54 100644
--- a/modules/layout/tpl/js/layout_admin.js
+++ b/modules/layout/tpl/js/layout_admin.js
@@ -70,16 +70,6 @@ function addLayoutCopyInputbox()
 
 (function($){
 
-/* preview layout */
-function doPreviewLayoutCode(layout_srl) {
-	var fo  = $('#fo_layout');
-	var act = fo.find('input[name=act]:first').val();
-	fo.attr('target', '_LayoutPreview').find('input[name=act]').val('dispLayoutAdminPreview');
-	fo.submit();
-	//.removeAttr('target').find('input[name=act]').val(act);
-}
-window.doPreviewLayoutCode = doPreviewLayoutCode;
-
 /* restore layout code */
 function doResetLayoutCode(layout_srl) {
     procFilter($('#fo_layout')[0], reset_layout_code);
diff --git a/modules/layout/tpl/layout_edit.html b/modules/layout/tpl/layout_edit.html
index 15a51f97a..5b70bc930 100644
--- a/modules/layout/tpl/layout_edit.html
+++ b/modules/layout/tpl/layout_edit.html
@@ -102,7 +102,6 @@
 			<button type="submit" class="x_btn reset_layout" name="mode" value="reset" data-confirmation-msg="{$lang->layout_reset_confirmation}">{$lang->cmd_reset}</button>
 		</span>
 		<span class="x_pull-right x_btn-group">
-			<button type="button" class="x_btn" onclick="doPreviewLayoutCode()">{$lang->cmd_preview}</button>
 			<button type="submit" class="x_btn x_btn-primary" name="mode" value="save">{$lang->cmd_save}</button>
 		</span>
 	</div>