From 97586855d77d896bcec8576f5b55797a65a30127 Mon Sep 17 00:00:00 2001
From: Kijin Sung <kijin@kijinsung.com>
Date: Tue, 28 Jun 2022 20:12:02 +0900
Subject: [PATCH] RVE-2022-3 filter skin parameter and others in
 dispLayoutPreviewWithModule()

---
 modules/layout/layout.view.php | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/modules/layout/layout.view.php b/modules/layout/layout.view.php
index 290c5d164..1f355367c 100644
--- a/modules/layout/layout.view.php
+++ b/modules/layout/layout.view.php
@@ -41,12 +41,11 @@ class layoutView extends layout
 	public function dispLayoutPreviewWithModule()
 	{
 		$content = '';
-		$layoutSrl = Context::get('layout_srl');
-
-		$module = Context::get('module_name');
-		$mid = Context::get('target_mid');
-		$skin = Context::get('skin');
-		$skinType = Context::get('skin_type');
+		$layoutSrl = intval(Context::get('layout_srl'));
+		$module = preg_replace('/[^a-zA-Z0-9_]/', '', Context::get('module_name'));
+		$mid = preg_replace('/[^a-zA-Z0-9\/_-]/', '', Context::get('target_mid'));
+		$skin = preg_replace('/[^a-zA-Z0-9_-]/', '', Context::get('skin'));
+		$skinType = Context::get('skin_type') === 'M' ? 'M' : 'P';
 
 		try
 		{