Fix #2005 XEVE-16-008 XSS 방지 및 XSS를 통해 특정 명령을 실행할 수 있는 보안취약점 해결

modules/autoinstall/autoinstall.admin.view.php

@@ -488,6 +488,7 @@ class autoinstallAdminView extends autoinstall
 
 		$security = new Security();
 		$security->encodeHTML('package.', 'package.depends..', 'item_list..');
+		$security->encodeHTML('search_target', 'search_keyword');
 	}
 
 	/**

modules/comment/comment.admin.view.php

@@ -116,6 +116,9 @@ class commentAdminView extends comment
 		}
 		Context::set('member_nick_name', $member_nick_neme);
 		
+		$security = new Security();
+		$security->encodeHTML('search_target', 'search_keyword');
+
 		// set the template 
 		$this->setTemplatePath($this->module_path . 'tpl');
 		$this->setTemplateFile('comment_list');

modules/document/document.admin.view.php

@@ -121,6 +121,9 @@ class documentAdminView extends document
 		}
 		Context::set('member_nick_name', $member_nick_neme);
 
+		$security = new Security();
+		$security->encodeHTML('search_target', 'search_keyword');
+
 		// Specify a template
 		$this->setTemplatePath($this->module_path.'tpl');
 		$this->setTemplateFile('document_list');

modules/file/file.admin.view.php

@@ -202,6 +202,7 @@ class fileAdminView extends file
 		$security = new Security();
 		$security->encodeHTML('file_list..');
 		$security->encodeHTML('module_list..');
+		$security->encodeHTML('search_target', 'search_keyword');
 
 		$this->setTemplatePath($this->module_path.'tpl');
 		$this->setTemplateFile('file_list');

modules/member/member.admin.view.php

@@ -118,6 +118,7 @@ class memberAdminView extends member
 
 		$security = new Security();
 		$security->encodeHTML('member_list..user_name', 'member_list..nick_name', 'member_list..group_list..');
+		$security->encodeHTML('search_target', 'search_keyword');
 
 		$this->setTemplateFile('member_list');
 	}

modules/menu/menu.admin.controller.php

@@ -1975,20 +1975,23 @@ class menuAdminController extends menu
 			// Get data from child nodes if exist.
 			if($menu_item_srl&&$tree[$menu_item_srl]) $child_output = $this->getPhpCacheCode($tree[$menu_item_srl], $tree, $site_srl, $domain);
 			else $child_output = array("buff"=>"", "url_list"=>array());
+
 			// List variables
 			$names = $oMenuAdminModel->getMenuItemNames($node->name, $site_srl);
 			unset($name_arr_str);
 			foreach($names as $key => $val)
 			{
-				$name_arr_str .= sprintf('"%s"=>"%s",',$key, str_replace(array('\\','"'),array('\\\\','"'),$val));
+				$name_arr_str .= sprintf('"%s"=>\'%s\',', $key, str_replace(array('\\','\''), array('\\\\','\\\''), strip_tags($val)));
 			}
 			$name_str = sprintf('$_menu_names[%d] = array(%s); %s', $node->menu_item_srl, $name_arr_str, $child_output['name']);
+
 			// If url value is not empty in the current node, put the value into an array url_list
 			if($node->url) $child_output['url_list'][] = $node->url;
 			$output['url_list'] = array_merge($output['url_list'], $child_output['url_list']);
 			// If node->group_srls value exists
 			if($node->group_srls)$group_check_code = sprintf('($is_admin==true||(is_array($group_srls)&&count(array_intersect($group_srls, array(%s))))||($is_logged && %s))',$node->group_srls,$node->group_srls == -1?1:0);
 			else $group_check_code = "true";
+
 			// List variables
 			$href = str_replace(array('&','"','<','>'),array('&amp;','&quot;','&lt;','&gt;'),$node->href);
 			$url = str_replace(array('&','"','<','>'),array('&amp;','&quot;','&lt;','&gt;'),$node->url);
@@ -2042,10 +2045,10 @@ class menuAdminController extends menu
 			}
 			// Create properties (check if it belongs to the menu node by url_list. It looks a trick but fast and powerful)
 			$attribute = sprintf(
-				'"node_srl"=>"%s","parent_srl"=>"%s","menu_name_key"=>\'%s\',"isShow"=>(%s?true:false),"text"=>(%s?$_menu_names[%d][$lang_type]:""),"href"=>(%s?%s:""),"url"=>(%s?"%s":""),"is_shortcut"=>"%s","desc"=>\'%s\',"open_window"=>"%s","normal_btn"=>"%s","hover_btn"=>"%s","active_btn"=>"%s","selected"=>(array(%s)&&in_array(Context::get("mid"),array(%s))?1:0),"expand"=>"%s", "list"=>array(%s),  "link"=>(%s? ( array(%s)&&in_array(Context::get("mid"),array(%s)) ?%s:%s):""),',
+				'"node_srl" => %d, "parent_srl" => %d, "menu_name_key" => \'%s\', "isShow" => (%s ? true : false), "text" => (%s ? $_menu_names[%d][$lang_type] : ""), "href" => (%s ? %s : ""), "url" => (%s ? "%s" : ""), "is_shortcut" => "%s", "desc" => \'%s\', "open_window" => "%s", "normal_btn" => "%s", "hover_btn" => "%s", "active_btn" => "%s", "selected" => (array(%s) && in_array(Context::get("mid"), array(%s)) ? 1 : 0), "expand" => \'%s\', "list" => array(%s), "link" => (%s ? (array(%s) && in_array(Context::get("mid"), array(%s)) ? %s : %s) : ""),',
 				$node->menu_item_srl,
 				$node->parent_srl,
-				addslashes($node->name),
+				strip_tags(addslashes($node->name)),
 				$group_check_code,
 				$group_check_code,
 				$node->menu_item_srl,

modules/point/point.admin.view.php

@@ -114,9 +114,10 @@ class pointAdminView extends point
 		$this->group_list = $oMemberModel->getGroups();
 		Context::set('group_list', $this->group_list);
 		//Security
-		$security = new Security();			
+		$security = new Security();
 		$security->encodeHTML('group_list..title','group_list..description');
 		$security->encodeHTML('member_list..');
+		$security->encodeHTML('search_target', 'search_keyword');
 
 		// Set the template
 		$this->setTemplateFile('member_list');

modules/poll/poll.admin.view.php

@@ -92,6 +92,8 @@ class pollAdminView extends poll
 
 		$security = new Security();
 		$security->encodeHTML('poll_list..title', 'poll_list..nick_name');
+		$security->encodeHTML('search_target', 'search_keyword');
+
 		// Set a template
 		$this->setTemplatePath($this->module_path.'tpl');
 		$this->setTemplateFile('poll_list');