xss defense

git-svn-id: http://xe-core.googlecode.com/svn/branches/1.5.0@9881 201d5d3c-b55e-5fd7-737f-ddc643e51545
2026-05-10 12:32:14 +09:00 · 2011-11-29 02:29:22 +00:00 · 2011-11-29 02:29:22 +00:00 · c2ec25e5b4
commit c2ec25e5b4
parent 60f6146e45
3 changed files with 9 additions and 7 deletions
--- a/modules/admin/admin.admin.view.php
+++ b/modules/admin/admin.admin.view.php
@ -250,6 +250,8 @@
 			$args->list_count = 5;;
 			$output = $oDocumentModel->getDocumentList($args, false, false, $columnList);
            Context::set('latestDocumentList', $output->data);
 			$security = new Security();
 			$security->encodeHTML('latestDocumentList..variables.nick_name');
 			unset($args, $output, $columnList);
 			// Latest Comment
--- a/modules/member/member.admin.view.php
+++ b/modules/member/member.admin.view.php
@ -142,7 +142,7 @@
 			$security = new Security();
 			$security->encodeHTML('member_config..');
-			$security->encodeHTML('member_info.user_name','member_info.description','member_info.group_list..');			
+			$security->encodeHTML('memberInfo.user_name', 'memberInfo.nick_name', 'memberInfo.description','memberInfo.group_list..');			
 			$security->encodeHTML('extend_form_list...');
            $this->setTemplateFile('member_info');
--- a/modules/member/tpl/member_info.html
+++ b/modules/member/tpl/member_info.html
@ -21,19 +21,19 @@
 {@$title = $extend_form_list[$formInfo->member_join_form_srl]->column_title}
 {@$orgValue = $extend_form_list[$formInfo->member_join_form_srl]->value}
 			<!--@if($formInfo->type=='tel')-->
-				{@$value = htmlspecialchars($orgValue[0])}
+				{@$value = $orgValue[0]}
 					<!--@if($orgValue[1])-->-<!--@end-->
-				{@$value .= htmlspecialchars($orgValue[1])}
+				{@$value .= $orgValue[1]}
 					<!--@if($orgValue[2])-->-<!--@end-->
-				{@$value .= htmlspecialchars($orgValue[2])}
+				{@$value .= $orgValue[2]}
 			<!--@elseif($formInfo->type=='kr_zip')-->
-				{@$value = htmlspecialchars($orgValue[0])}<!--@if($orgValue[1]&&$orgValue[0])--><br /><!--@end-->{@$value .= htmlspecialchars($orgValue[1])}
+				{@$value = $orgValue[0]}<!--@if($orgValue[1]&&$orgValue[0])--><br /><!--@end-->{@$value .= $orgValue[1]}
 			<!--@elseif($formInfo->type=='checkbox' && is_array($orgValue))-->
-				{@$value = htmlspecialchars(implode(", ",$orgValue))}
+				{@$value = implode(", ",$orgValue)}
 			<!--@elseif($formInfo->type=='date')-->
 				{@$value = zdate($orgValue, "Y-m-d")}
 			<!--@else-->
-				{@$value = nl2br(htmlspecialchars($orgValue))}
+				{@$value = nl2br($orgValue)}
 			<!--@end-->
 		<!--@end-->