From a3650bb8994efdd3bac0ced8eb9cf19ad5a47546 Mon Sep 17 00:00:00 2001
From: Kijin Sung <kijin@kijinsung.com>
Date: Sat, 20 Jan 2024 00:39:19 +0900
Subject: [PATCH 1/5] RVE-2024-1 missing escape of autogenerated document title

---
 modules/document/document.controller.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/document/document.controller.php b/modules/document/document.controller.php
index 79595deb0..6d2516c8b 100644
--- a/modules/document/document.controller.php
+++ b/modules/document/document.controller.php
@@ -750,7 +750,7 @@ class DocumentController extends Document
 		$obj->title = escape($obj->title, false);
 		if($obj->title == '')
 		{
-			$obj->title = cut_str(trim(strip_tags(nl2br($obj->content))),20,'...');
+			$obj->title = escape(cut_str(trim(utf8_normalize_spaces(strip_tags($obj->content))), 20, '...'), false);
 		}
 		if($obj->title == '')
 		{

From 152fb4e75361a55cb350e3da4cc3b47754eff9a2 Mon Sep 17 00:00:00 2001
From: Kijin Sung <kijin@kijinsung.com>
Date: Sat, 20 Jan 2024 00:40:36 +0900
Subject: [PATCH 2/5] RVE-2024-1 always escape DocumentItem->getTitleText()

---
 modules/document/document.item.php | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/modules/document/document.item.php b/modules/document/document.item.php
index 29d750311..8be5e3645 100644
--- a/modules/document/document.item.php
+++ b/modules/document/document.item.php
@@ -495,7 +495,8 @@ class DocumentItem extends BaseObject
 			return;
 		}
 
-		return $cut_size ? cut_str($this->get('title'), $cut_size, $tail) : $this->get('title');
+		$title = $cut_size ? cut_str($this->get('title'), $cut_size, $tail) : $this->get('title');
+		return escape($title, false);
 	}
 
 	function getVoted()
@@ -593,7 +594,7 @@ class DocumentItem extends BaseObject
 			return false;
 		}
 
-		$title = escape($this->getTitleText($cut_size, $tail), false);
+		$title = $this->getTitleText($cut_size, $tail);
 		$this->add('title_color', trim($this->get('title_color') ?? ''));
 
 		$attrs = array();

From 1854700e775cea18428e898f88e2813c16fc3fc4 Mon Sep 17 00:00:00 2001
From: Kijin Sung <kijin@kijinsung.com>
Date: Sat, 20 Jan 2024 00:41:14 +0900
Subject: [PATCH 3/5] RVE-2024-1 properly encode document title passed to js
 variable

---
 modules/board/skins/default/_read.html  | 2 +-
 modules/board/skins/xedition/_read.html | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/board/skins/default/_read.html b/modules/board/skins/default/_read.html
index 28c6f8571..dfee5006c 100644
--- a/modules/board/skins/default/_read.html
+++ b/modules/board/skins/default/_read.html
@@ -67,7 +67,7 @@
 				<li class="delicious link"><a href="https://delicious.com/">Delicious</a></li>
 			</ul>
 			<script>
-				var sTitle = '{str_ireplace(array('<script', '</script'), array("<scr'+'ipt", "</scr'+'ipt"), addslashes($oDocument->getTitleText()))}';
+				var sTitle = {json_encode($oDocument->getTitleText())};
 				jQuery(function($){
 					$('.twitter>a').snspost({
 						type : 'twitter',
diff --git a/modules/board/skins/xedition/_read.html b/modules/board/skins/xedition/_read.html
index 3e4d87e71..a67e04efe 100644
--- a/modules/board/skins/xedition/_read.html
+++ b/modules/board/skins/xedition/_read.html
@@ -64,7 +64,7 @@
 		    </li>
 		    </ul>
 			<script>
-				var sTitle = '{$oDocument->getTitleText()}';
+				var sTitle = {json_encode($oDocument->getTitleText())};
 				jQuery(function($){
 					$('.twitter').snspost({
 						type : 'twitter',

From 7cb9b8c786934ebe58d9afa01c3a232ecbbfe8b4 Mon Sep 17 00:00:00 2001
From: Kijin Sung <kijin@kijinsung.com>
Date: Tue, 30 Jan 2024 20:43:39 +0900
Subject: [PATCH 4/5] RVE-2024-1 also apply escape() when updating document

---
 modules/document/document.controller.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/document/document.controller.php b/modules/document/document.controller.php
index 6d2516c8b..75539ded7 100644
--- a/modules/document/document.controller.php
+++ b/modules/document/document.controller.php
@@ -1049,7 +1049,7 @@ class DocumentController extends Document
 		$obj->title = escape($obj->title, false);
 		if($obj->title == '')
 		{
-			$obj->title = cut_str(strip_tags($obj->content),20,'...');
+			$obj->title = escape(cut_str(trim(utf8_normalize_spaces(strip_tags($obj->content))), 20, '...'), false);
 		}
 		if($obj->title == '')
 		{

From 56af0cb5c3028498c497c924a13975fb66e8e2e9 Mon Sep 17 00:00:00 2001
From: Kijin Sung <kijin@kijinsung.com>
Date: Tue, 30 Jan 2024 20:44:30 +0900
Subject: [PATCH 5/5] Use strict equality to check if title is empty

---
 modules/document/document.controller.php | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/modules/document/document.controller.php b/modules/document/document.controller.php
index 75539ded7..507d0bbda 100644
--- a/modules/document/document.controller.php
+++ b/modules/document/document.controller.php
@@ -748,11 +748,11 @@ class DocumentController extends Document
 
 		// If the tile is empty, extract string from the contents.
 		$obj->title = escape($obj->title, false);
-		if($obj->title == '')
+		if ($obj->title === '')
 		{
 			$obj->title = escape(cut_str(trim(utf8_normalize_spaces(strip_tags($obj->content))), 20, '...'), false);
 		}
-		if($obj->title == '')
+		if ($obj->title === '')
 		{
 			$obj->title = 'Untitled';
 		}
@@ -1047,11 +1047,11 @@ class DocumentController extends Document
 
 		// If the tile is empty, extract string from the contents.
 		$obj->title = escape($obj->title, false);
-		if($obj->title == '')
+		if ($obj->title === '')
 		{
 			$obj->title = escape(cut_str(trim(utf8_normalize_spaces(strip_tags($obj->content))), 20, '...'), false);
 		}
-		if($obj->title == '')
+		if ($obj->title === '')
 		{
 			$obj->title = 'Untitled';
 		}