모듈 선택기 보안 문제 수정

매니저 권한을 가지고 있는 모듈만 출력하도록 조정 'site_keyword' xss 회원 모듈 스킨 '작성 글 보기', '작성 글 보기' 페이지에서 [모듈 찾기] 버튼 제거 기타 소스 코드 정리
2026-01-07 10:41:40 +09:00 · 2017-04-22 15:35:32 +09:00 · 2017-04-22 15:35:32 +09:00 · fa5c7afce2
commit fa5c7afce2
parent 9175a31ccf
6 changed files with 71 additions and 127 deletions
--- a/modules/member/skins/default/comment_list.html
+++ b/modules/member/skins/default/comment_list.html
@ -3,10 +3,6 @@
 <table class="table table-striped table-hover">
 	<caption>
 		Total: {number_format($total_count)}, Page {number_format($page)}/{number_format($total_page)}
-		<span class="pull-right">
-			<a href="{getUrl('','module','module','act','dispModuleSelectList','id','target_module','type','single')}" class="btn" onclick="popopen(this.href,'ModuleSelect');return false;">{$lang->cmd_find_module}</a>
-			<a href="{getUrl('selected_module_srl','')}" cond="$selected_module_srl" class="btn">{$lang->cmd_cancel}</a>
-		</span>
 	</caption>
 	<thead>
 		<tr>
--- a/modules/member/skins/default/document_list.html
+++ b/modules/member/skins/default/document_list.html
@ -3,10 +3,6 @@
 <table class="table table-striped table-hover">
 	<caption>
 		Total: {number_format($total_count)}, Page {number_format($page)}/{number_format($total_page)}
-		<span class="pull-right">
-			<a href="{getUrl('','module','module','act','dispModuleSelectList','id','target_module','type','single')}" class="btn" onclick="popopen(this.href,'ModuleSelect');return false;">{$lang->cmd_find_module}</a>
-			<a href="{getUrl('selected_module_srl','')}" cond="$selected_module_srl" class="btn">{$lang->cmd_cancel}</a>
-		</span>
 	</caption>
 	<thead>
 		<tr>
--- a/modules/member/skins/simple_world/comment_list.html
+++ b/modules/member/skins/simple_world/comment_list.html
@ -30,8 +30,4 @@
 		<li><a href="{getUrl('page',$page_navigation->last_page,'module_srl','')}" class="direction">{lang('common.last_page')} &rsaquo;</a></li>
 	</ul>
 </div>
-<div class="sw-footer sw-anchor-buttons">
-	<a href="{getUrl('','module','module','act','dispModuleSelectList','id','target_module','type','single')}" onclick="popopen(this.href,'ModuleSelect');return false;">{lang('module.cmd_find_module')}</a>
-	<a href="{getUrl('selected_module_srl','')}" cond="$selected_module_srl">{lang('common.cmd_cancel')}</a>
-</div>
 <include target="./common_footer.html" />
--- a/modules/member/skins/simple_world/document_list.html
+++ b/modules/member/skins/simple_world/document_list.html
@ -36,8 +36,4 @@
 		<li><a href="{getUrl('page',$page_navigation->last_page,'module_srl','')}" class="direction">{lang('common.last_page')} &rsaquo;</a></li>
 	</ul>
 </div>
-<div class="sw-footer sw-anchor-buttons">
-	<a href="{getUrl('','module','module','act','dispModuleSelectList','id','target_module','type','single')}" onclick="popopen(this.href,'ModuleSelect');return false;">{lang('module.cmd_find_module')}</a>
-	<a href="{getUrl('selected_module_srl','')}" cond="$selected_module_srl">{lang('common.cmd_cancel')}</a>
-</div>
 <include target="./common_footer.html" />
--- a/modules/module/module.view.php
+++ b/modules/module/module.view.php
@ -43,92 +43,79 @@ class moduleView extends module
 	 */
 	function dispModuleSelectList()
 	{
-		if(!Context::get('is_logged')) return new Object(-1, 'msg_not_permitted');
-
-		$oModuleModel = getModel('module');
-		// Extract the number of virtual sites
-		$output = executeQuery('module.getSiteCount');
-		$site_count = $output->data->count;
-		Context::set('site_count', $site_count);
-		// Variable setting for site keyword
-		$site_keyword = Context::get('site_keyword');
-		// If there is no site keyword, use as information of the current virtual site
-		$args = new stdClass();
-		$logged_info = Context::get('logged_info');
-		if($logged_info->is_admin == 'Y')
+		$args = new stdClass;
+		
+		if(Context::get('logged_info')->is_admin === 'Y')
 		{
-			$query_id = 'module.getSiteModules';
-			$module_category_exists = false;
-			if(!$site_keyword)
+			// If site keyword exists, extract information from the sites
+			if($site_keyword = Context::get('site_keyword'))
 			{
-				$site_module_info = Context::get('site_module_info');
-				if($site_module_info && $logged_info->is_admin != 'Y')
-				{
-					$site_keyword = $site_module_info->domain;
-					$args->site_srl = (int)$site_module_info->site_srl;
-					Context::set('site_keyword', $site_keyword);
-				}
-				else
-				{
-					$query_id = 'module.getDefaultModules';
-					$args->site_srl = 0;
-					$module_category_exists = true;
-				}
-				// If site keyword exists, extract information from the sites
+				$args->site_keyword = $site_keyword;
+			}
+			// If there is no site keyword, use as information of the current virtual site
+			else
+			{
+				$args->site_srl = 0;
+				$query_id = 'module.getDefaultModules';
+			}
+			
+			Context::set('site_count', executeQuery('module.getSiteCount')->data->count);
+		}
+		else
+		{
+			$args->site_srl = (int) Context::get('site_module_info')->site_srl;
+		}
+		
+		// Get a list of modules at the site
+		$output = executeQueryArray(isset($query_id) ? $query_id : 'module.getSiteModules', $args);
+		
+		$mid_list = array();
+		$oModuleModel = getModel('module');
+		
+		foreach($output->data as $key => $val)
+		{
+			if(!$oModuleModel->getGrant($val, Context::get('logged_info'))->manager)
+			{
+				continue;
+			}
+			
+			if(!isset($mid_list[$val->module]))
+			{
+				$mid_list[$val->module] = new stdClass;
+				$mid_list[$val->module]->list = array();
+			}
+			
+			$obj = new stdClass;
+			$obj->module_srl = $val->module_srl;
+			$obj->browser_title = $val->browser_title;
+			
+			$mid_list[$val->module]->list[$val->category ?: 0][$val->mid] = $obj;
+			$mid_list[$val->module]->title = $oModuleModel->getModuleInfoXml($val->module)->title;
+		}
+		
+		Context::set('mid_list', $mid_list);
+		
+		if(!empty($mid_list))
+		{
+			if(($selected_module = Context::get('selected_module')) && isset($mid_list[$selected_module]->list))
+			{
+				Context::set('selected_mids', $mid_list[$selected_module]->list);
 			}
 			else
 			{
-				$args->site_keyword = $site_keyword;
+				Context::set('selected_mids', array_first($mid_list)->list);
+				Context::set('selected_module', array_first_key($mid_list));
 			}
 		}
 		else
 		{
-			$query_id = 'module.getSiteModules';
-			$site_module_info = Context::get('site_module_info');
-			$args->site_srl = (int)$site_module_info->site_srl;
-		}
-		//if(is_null($args->site_srl)) $query_id = 'module.getDefaultModules';
-		// Get a list of modules at the site
-		$output = executeQueryArray($query_id, $args);
-		$category_list = $mid_list = array();
-		if(count($output->data))
-		{
-			foreach($output->data as $key => $val)
-			{
-				$module = trim($val->module);
-				if(!$module) continue;
-
-				$category = $val->category;
-				$obj = new stdClass();
-				$obj->module_srl = $val->module_srl;
-				$obj->browser_title = $val->browser_title;
-				$mid_list[$module]->list[$category][$val->mid] = $obj;
-			}
-		}
-
-		$selected_module = Context::get('selected_module');
-		if(count($mid_list))
-		{
-			foreach($mid_list as $module => $val)
-			{
-				if(!$selected_module) $selected_module = $module;
-				$xml_info = $oModuleModel->getModuleInfoXml($module);
-				$mid_list[$module]->title = $xml_info->title;
-			}
+			Context::set('selected_mids', array());
 		}
 		
-		// not show admin bar
-		Context::set('mid_list', $mid_list);
-		Context::set('selected_module', $selected_module);
-		Context::set('selected_mids', $mid_list[$selected_module]->list);
-		Context::set('module_category_exists', $module_category_exists);
-
 		$security = new Security();
-		$security->encodeHTML('id', 'type');
-
-		// Set the layout to be pop-up
+		$security->encodeHTML('id', 'type', 'site_keyword');
+		
 		$this->setLayoutFile('popup_layout');
-		// Set a template file
 		$this->setTemplateFile('module_selector');
 	}

--- a/modules/module/tpl/module_selector.html
+++ b/modules/module/tpl/module_selector.html
@ -8,7 +8,8 @@
 	<input type="hidden" name="id" value="{$id}" />
 	<input type="hidden" name="type" value="{$type}" />
 	<input type="hidden" name="vid" value="{$vid}" />
-	<div class="x_control-group" cond="$site_count && $logged_info->is_admin == 'Y'">
+	
+	<div class="x_control-group" cond="$logged_info->is_admin === 'Y' && $site_count">
 		<label class="x_control-label" for="site_keyword">{$lang->virtual_site}</label>
 		<div class="x_controls">
 			<span class="x_input-append">
@ -18,18 +19,19 @@
 			<p class="x_help-block">{$lang->about_search_virtual_site}</p>
 		</div>
 	</div>
+	
 	<div class="x_control-group">
 		<label class="x_control-label" for="selected_module">{$lang->module}</label>
 		<div class="x_controls">
 			<select name="selected_module" id="selected_module">
-				<option loop="$mid_list => $key,$val" value="{$key}" selected="selected"|cond="$selected_module == $key">{$val->title}</option>
+				<option loop="$mid_list => $key,$val" value="{$key}" selected="selected"|cond="$key == $selected_module">{$val->title}</option>
 			</select>
 			<input type="submit" value="{$lang->cmd_search}" class="x_btn" />
 		</div>
 	</div>
-	<!--@if($module_category_exists)-->
-	<!--@foreach($selected_mids as $key => $val)-->
-	<h2 cond="$key" style="margin-top:40px;">{$key}</h2>
+	
+	<!--@foreach($selected_mids as $category_name => $list)-->
+	<h2 cond="$category_name" style="margin-top:40px;">{$category_name}</h2>
 	<table class="x_table x_table-striped x_table-hover" style="border-top:1px dotted #ddd">
 		<thead>
 			<tr>
@ -39,41 +41,12 @@
 			<tr>
 		</thead>
 		<tbody>
-			<tr>
-			{@ $_idx =0; }
-			<!--@foreach($val as $k => $v)-->
-				<!--@if($_idx >0)--><tr><!--@end-->
-				{@ $browser_title = str_replace("'", "\\'", htmlspecialchars($v->browser_title, ENT_COMPAT | ENT_HTML401, 'UTF-8', false)); }
-				<td>{$k}</td>
-				<td>{$v->browser_title}</td>
-				<td><a href="#" onclick="insertModule('{$id}', {$v->module_srl}, '{$k}', '{$browser_title}',{$type=='single'?'false':'true'}); return false;" class="button green"><span>{$type=='single'?$lang->cmd_select:$lang->cmd_insert}</span></a></td>
-				<!--@if($_idx <count($val))--></tr><!--@end-->
-			{@ $_idx ++; }
-			<!--@end-->
+			<tr loop="$list => $mid_name,$module_info">
+				<td>{$mid_name}</td>
+				<td>{$module_info->browser_title}</td>
+				<td><a href="#" onclick="insertModule('{$id}', {$module_info->module_srl}, '{$mid_name}', '{escape($module_info->browser_title, false)}', {$type=='single'?'false':'true'}); return false;" class="button green"><span>{$type=='single'?$lang->cmd_select:$lang->cmd_insert}</span></a></td>
 			</tr>
 		</tbody>
 	</table>
 	<!--@end-->
-	<!--@else-->
-	<table class="x_table x_table-striped x_table-hover" style="border-top:1px dotted #ddd">
-		<thead>
-			<tr>
-				<th>{$lang->mid}</th>
-				<th>{$lang->browser_title}</th>
-				<th>{$type=='single'?$lang->cmd_select:$lang->cmd_insert}</th>
-			<tr>
-		</thead>
-		<tbody>
-		<!--@foreach($selected_mids as $key => $val)-->
-			<!--@foreach($val as $k => $v)-->
-			<tr>
-				<td>{$k}</td>
-				<td>{$v->browser_title}</td>
-				<td><a href="#" onclick="insertModule('{$id}', {$v->module_srl}, '{$k}', '{str_replace("'","\\'",$v->browser_title)}',{$type=='single'?'false':'true'}); return false;" class="button green"><span>{$type=='single'?$lang->cmd_select:$lang->cmd_insert}</span></a></td>
-			</tr>
-			<!--@end-->
-		<!--@end-->
-		</tbody>
-	</table>
-	<!--@end-->
 </form>