모듈 선택기 보안 문제 수정

매니저 권한을 가지고 있는 모듈만 출력하도록 조정 'site_keyword' xss 회원 모듈 스킨 '작성 글 보기', '작성 글 보기' 페이지에서 [모듈 찾기] 버튼 제거 기타 소스 코드 정리
2026-01-07 18:51:41 +09:00 · 2017-04-22 15:35:32 +09:00 · 2017-04-22 15:35:32 +09:00 · fa5c7afce2
commit fa5c7afce2
parent 9175a31ccf
6 changed files with 71 additions and 127 deletions
--- a/modules/module/tpl/module_selector.html
+++ b/modules/module/tpl/module_selector.html
@ -8,7 +8,8 @@
 	<input type="hidden" name="id" value="{$id}" />
 	<input type="hidden" name="type" value="{$type}" />
 	<input type="hidden" name="vid" value="{$vid}" />
-	<div class="x_control-group" cond="$site_count && $logged_info->is_admin == 'Y'">
+	
+	<div class="x_control-group" cond="$logged_info->is_admin === 'Y' && $site_count">
 		<label class="x_control-label" for="site_keyword">{$lang->virtual_site}</label>
 		<div class="x_controls">
 			<span class="x_input-append">
@ -18,18 +19,19 @@
 			<p class="x_help-block">{$lang->about_search_virtual_site}</p>
 		</div>
 	</div>
+	
 	<div class="x_control-group">
 		<label class="x_control-label" for="selected_module">{$lang->module}</label>
 		<div class="x_controls">
 			<select name="selected_module" id="selected_module">
-				<option loop="$mid_list => $key,$val" value="{$key}" selected="selected"|cond="$selected_module == $key">{$val->title}</option>
+				<option loop="$mid_list => $key,$val" value="{$key}" selected="selected"|cond="$key == $selected_module">{$val->title}</option>
 			</select>
 			<input type="submit" value="{$lang->cmd_search}" class="x_btn" />
 		</div>
 	</div>
-	<!--@if($module_category_exists)-->
-	<!--@foreach($selected_mids as $key => $val)-->
-	<h2 cond="$key" style="margin-top:40px;">{$key}</h2>
+	
+	<!--@foreach($selected_mids as $category_name => $list)-->
+	<h2 cond="$category_name" style="margin-top:40px;">{$category_name}</h2>
 	<table class="x_table x_table-striped x_table-hover" style="border-top:1px dotted #ddd">
 		<thead>
 			<tr>
@ -39,41 +41,12 @@
 			<tr>
 		</thead>
 		<tbody>
-			<tr>
-			{@ $_idx =0; }
-			<!--@foreach($val as $k => $v)-->
-				<!--@if($_idx >0)--><tr><!--@end-->
-				{@ $browser_title = str_replace("'", "\\'", htmlspecialchars($v->browser_title, ENT_COMPAT | ENT_HTML401, 'UTF-8', false)); }
-				<td>{$k}</td>
-				<td>{$v->browser_title}</td>
-				<td><a href="#" onclick="insertModule('{$id}', {$v->module_srl}, '{$k}', '{$browser_title}',{$type=='single'?'false':'true'}); return false;" class="button green"><span>{$type=='single'?$lang->cmd_select:$lang->cmd_insert}</span></a></td>
-				<!--@if($_idx <count($val))--></tr><!--@end-->
-			{@ $_idx ++; }
-			<!--@end-->
+			<tr loop="$list => $mid_name,$module_info">
+				<td>{$mid_name}</td>
+				<td>{$module_info->browser_title}</td>
+				<td><a href="#" onclick="insertModule('{$id}', {$module_info->module_srl}, '{$mid_name}', '{escape($module_info->browser_title, false)}', {$type=='single'?'false':'true'}); return false;" class="button green"><span>{$type=='single'?$lang->cmd_select:$lang->cmd_insert}</span></a></td>
 			</tr>
 		</tbody>
 	</table>
 	<!--@end-->
-	<!--@else-->
-	<table class="x_table x_table-striped x_table-hover" style="border-top:1px dotted #ddd">
-		<thead>
-			<tr>
-				<th>{$lang->mid}</th>
-				<th>{$lang->browser_title}</th>
-				<th>{$type=='single'?$lang->cmd_select:$lang->cmd_insert}</th>
-			<tr>
-		</thead>
-		<tbody>
-		<!--@foreach($selected_mids as $key => $val)-->
-			<!--@foreach($val as $k => $v)-->
-			<tr>
-				<td>{$k}</td>
-				<td>{$v->browser_title}</td>
-				<td><a href="#" onclick="insertModule('{$id}', {$v->module_srl}, '{$k}', '{str_replace("'","\\'",$v->browser_title)}',{$type=='single'?'false':'true'}); return false;" class="button green"><span>{$type=='single'?$lang->cmd_select:$lang->cmd_insert}</span></a></td>
-			</tr>
-			<!--@end-->
-		<!--@end-->
-		</tbody>
-	</table>
-	<!--@end-->
 </form>