fanbinit/rhymix
1
0
Fork 0
mirror of https://github.com/Lastorder-DC/rhymix.git synced 2026-05-11 04:52:14 +09:00
Code Issues Projects Releases Packages Wiki Activity

XSS 시도를 차단하기 위한 글 내용의 event handling 코드를 무효화 시키도록 기능 추가

Browse source 
git-svn-id: http://xe-core.googlecode.com/svn/sandbox@4302 201d5d3c-b55e-5fd7-737f-ddc643e51545
This commit is contained in:
zero 2008-06-19 05:40:20 +00:00
parent 7f153ad654
commit 87fc21be8c
1 changed files with 9 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

9
config/func.inc.php
View file

@ -416,9 +416,18 @@
// style 태그 제거 // style 태그 제거
$content = preg_replace("!<style(.*?)<\/style>!is", '', $content); $content = preg_replace("!<style(.*?)<\/style>!is", '', $content);
// XSS 사용을 위한 이벤트 제거
$content = preg_replace_callback("!<([a-z]+)(.*?)>!is", removeJSEvent, $content);
return $content; return $content;
} }
function removeJSEvent($matches) {
$tag = strtolower($matches[1]);
if($tag == "a" && preg_match('/href=("|\'?)javascript:/i',$matches[2])) $matches[0] = preg_replace('/href=("|\'?)javascript:/i','href=$1_javascript:', $matches[0]);
return preg_replace('/on([a-z]+)=/i','_on$1=',$matches[0]);
}
// hexa값을 RGB로 변환 // hexa값을 RGB로 변환
if(!function_exists('hexrgb')) { if(!function_exists('hexrgb')) {
function hexrgb($hexstr) { function hexrgb($hexstr) {