mirror of
https://github.com/Lastorder-DC/rhymix.git
synced 2026-01-08 11:11:39 +09:00
#309 SECISSUE homepage필드를 이용한 XSS 공격 방어, 댓글 작성시에도 적용
This commit is contained in:
khongchi
parent
775f68a31a
commit
ecb5628725
2 changed files with 21 additions and 5 deletions
|
|
@ -266,9 +266,13 @@ class commentController extends comment
|
|||
return new Object(-1, 'msg_invalid_request');
|
||||
}
|
||||
|
||||
if($obj->homepage && !preg_match('/^[a-z]+:\/\//i', $obj->homepage))
|
||||
if($obj->homepage)
|
||||
{
|
||||
$obj->homepage = 'http://' . $obj->homepage;
|
||||
$obj->homepage = removeHackTag($obj->homepage);
|
||||
if(!preg_match('/^[a-z]+:\/\//i',$obj->homepage))
|
||||
{
|
||||
$obj->homepage = 'http://'.$obj->homepage;
|
||||
}
|
||||
}
|
||||
|
||||
// input the member's information if logged-in
|
||||
|
|
@ -655,9 +659,13 @@ class commentController extends comment
|
|||
$obj->password = md5($obj->password);
|
||||
}
|
||||
|
||||
if($obj->homepage && !preg_match('/^[a-z]+:\/\//i', $obj->homepage))
|
||||
if($obj->homepage)
|
||||
{
|
||||
$obj->homepage = 'http://' . $obj->homepage;
|
||||
$obj->homepage = removeHackTag($obj->homepage);
|
||||
if(!preg_match('/^[a-z]+:\/\//i',$obj->homepage))
|
||||
{
|
||||
$obj->homepage = 'http://'.$obj->homepage;
|
||||
}
|
||||
}
|
||||
|
||||
// set modifier's information if logged-in and posting author and modifier are matched.
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue