fix #1813 레이아웃 미리보기 동작에 CSRF/XSS 방어 및 embed URL에 'act' parameter 사용 제한

- `layoutView::dispLayoutPreview()`에 XSS/CSRF 방어 - src, href, style 등 HTML attribute에 'act'를 포함하는 URL을 사용할 수 없도록 제한
2026-01-04 01:01:41 +09:00 · 2015-12-08 15:11:55 +09:00 · 2015-12-08 15:11:55 +09:00 · c1eab055bc
commit c1eab055bc
parent ca0fb36fb8
4 changed files with 42 additions and 54 deletions
--- a/config/func.inc.php
+++ b/config/func.inc.php
@ -1212,6 +1212,24 @@ function removeSrcHack($match)
 		}
 	}

+	$filter_arrts = array('style', 'src', 'href');
+
+	if($tag === 'object') array_push($filter_arrts, 'data');
+	if($tag === 'param') array_push($filter_arrts, 'value');
+
+	foreach($filter_arrts as $attr)
+	{
+		if(!isset($attrs[$attr])) continue;
+
+		$attr_value = rawurldecode($attrs[$attr]);
+		$attr_value = htmlspecialchars_decode($attr_value, ENT_COMPAT);
+		$attr_value = preg_replace('/\s+|[\t\n\r]+/', '', $attr_value);
+		if(preg_match('@(\?|&|;)(act=)@i', $attr_value))
+		{
+			unset($attrs[$attr]);
+		}
+	}
+
 	if(isset($attrs['style']) && preg_match('@(?:/\*|\*/|\n|:\s*expression\s*\()@i', $attrs['style']))
 	{
 		unset($attrs['style']);
--- a/modules/layout/layout.view.php
+++ b/modules/layout/layout.view.php
@ -316,6 +316,12 @@ class layoutView extends layout
 	 */
 	function dispLayoutPreview()
 	{
+		if(!checkCSRF())
+		{
+			$this->stop('msg_invalid_request');
+			return new Object(-1, 'msg_invalid_request');
+		}
+
 		// admin check
 		// this act is admin view but in normal view because do not load admin css/js files
 		$logged_info = Context::get('logged_info');
--- a/tests/unit/FuncIncTest.class.php
+++ b/tests/unit/FuncIncTest.class.php
@ -1,53 +0,0 @@
-<?php
-class FuncIncTest extends \Codeception\TestCase\Test
-{
-    static public function provider()
-    {
-        return array(
-            // remove iframe
-            array(
-                '<div class="frame"><iframe src="path/to/file.html"></iframe><p><a href="#iframe">IFrame</a></p></div>',
-                '<div class="frame">&lt;iframe src="path/to/file.html">&lt;/iframe><p><a href="#iframe">IFrame</a></p></div>'
-            ),
-            // expression
-            array(
-                '<div class="dummy" style="xss:expr/*XSS*/ession(alert(\'XSS\'))">',
-                '<div class="dummy">'
-            ),
-            // no quotes and no semicolon - http://ha.ckers.org/xss.html
-            array(
-                '<img src=javascript:alert(\'xss\')>',
-                '<img>'
-            ),
-            // embedded encoded tab to break up XSS - http://ha.ckers.org/xss.html
-            array(
-                '<IMG SRC="jav&#x09;ascript:alert(\'XSS\');">',
-                '<img>'
-            ),
-            // issue 178
-            array(
-                "<img src=\"invalid\"\nonerror=\"alert(1)\" />",
-                '<img src="invalid" />'
-            ),
-            // issue 534
-            array(
-                '<img src=\'as"df dummy=\'"1234\'" 4321\' asdf/*/>*/"  onerror="console.log(\'Yet another XSS\')">',
-                '<img src="as&quot;df dummy=" />*/"  onerror="console.log(\'Yet another XSS\')">'
-            ),
-            // issue 602
-            array(
-                '<img alt="test" src="(http://static.naver.com/www/u/2010/0611/nmms_215646753.gif" onload="eval(String.fromCharCode(105,61,49,48,48,59,119,104,105,108,101, 40,105,62,48,41,97,108,101,114,116,40,40,105,45,45,41,43,39,48264,47564,32, 45908,32,53364,47533,54616,49464,50836,39,41,59));">',
-                '<img alt="test" src="(http://static.naver.com/www/u/2010/0611/nmms_215646753.gif">'
-            )
-        );
-    }
-
-    /**
-     * @dataProvider provider
-     */
-    public function testXss($source, $expected)
-    {
-        $result = removeHackTag($source);
-        $this->assertEquals($result, $expected);
-    }
-}
--- a/tests/unit/FuncIncTest.php
+++ b/tests/unit/FuncIncTest.php
@ -29,7 +29,7 @@ class FuncIncTest extends \Codeception\TestCase\Test
            ),
            // issue 178
            array(
-                "<img src=\"invalid.jpg\"\nonerror=\"alert(1)\" />",
+                '<img src="invalid.jpg"\nonerror="alert(1)" />',
                '<img src="invalid.jpg" alt="invalid.jpg" />'
            ),
            // issue 534
@ -41,6 +41,23 @@ class FuncIncTest extends \Codeception\TestCase\Test
            array(
                '<img alt="test" src="(http://static.naver.com/www/u/2010/0611/nmms_215646753.gif" onload="eval(String.fromCharCode(105,61,49,48,48,59,119,104,105,108,101, 40,105,62,48,41,97,108,101,114,116,40,40,105,45,45,41,43,39,48264,47564,32, 45908,32,53364,47533,54616,49464,50836,39,41,59));">',
                ''
+            ),
+            // issue #1813 https://github.com/xpressengine/xe-core/issues/1813
+            array(
+                '<img src="?act=dispLayoutPreview" alt="dummy" />',
+                '<img alt="dummy" />'
+            ),
+            array(
+                '<img src="?act =dispLayoutPreview" alt="dummy" />',
+                '<img alt="dummy" />'
+            ),
+            array(
+                "<img src=\"?act\n=dispLayoutPreview\" alt=\"dummy\" />",
+                '<img alt="dummy" />'
+            ),
+            array(
+                "<img src=\"?pam=act&a\nct  =\r\n\tdispLayoutPreview\" alt=\"dummy\" />",
+                '<img alt="dummy" />'
            )
        );
    }