fanbinit/rhymix
1
0
Fork 0
mirror of https://github.com/Lastorder-DC/rhymix.git synced 2026-01-06 10:11:38 +09:00
Code Issues Projects Releases Packages Wiki Activity

fix #1813 레이아웃 미리보기 동작에 CSRF/XSS 방어 및 embed URL에 'act' parameter 사용 제한

Browse source 
- `layoutView::dispLayoutPreview()`에 XSS/CSRF 방어
- src, href, style 등 HTML attribute에 'act'를 포함하는 URL을 사용할 수 없도록 제한
This commit is contained in:
bnu 2015-12-08 15:11:55 +09:00
parent ca0fb36fb8
commit c1eab055bc
4 changed files with 42 additions and 54 deletions
Download patch file Download diff file Expand all files Collapse all files

6
modules/layout/layout.view.php
View file

@ -316,6 +316,12 @@ class layoutView extends layout
*/
function dispLayoutPreview()
{
if(!checkCSRF())
{
$this->stop('msg_invalid_request');
return new Object(-1, 'msg_invalid_request');
}
// admin check
// this act is admin view but in normal view because do not load admin css/js files
$logged_info = Context::get('logged_info');