tolag3/koipa_edu_2025-1
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

이지우 - 웹 취약점 > 성인 교육 등록 시 XXS 방지 추가, web.xml 내 에러 페이지 종류 주가, 주석 iframe 삭제

Browse Source
This commit is contained in:
JIWOO 2024-08-20 17:14:09 +09:00
parent d66b6f4662
commit 6dabf0b731
4 changed files with 55 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
src/main/java/kcc/ve/aplct/adultVisitEdu/eduAplct/web/EduAplctAdultController.java
View File

@ -235,7 +235,10 @@ public class EduAplctAdultController {
//로그인 처리==================================== //로그인 처리====================================
//로그인 정보 가져오기 //로그인 정보 가져오기
/*240820 XSS 취약점 조치*/
vEEduAplctVO.setJobNm(unscript(vEEduAplctVO.getJobNm()));
String s_userCheckNInfo = checkLoginUtil.userCheckNInfo(model, request); String s_userCheckNInfo = checkLoginUtil.userCheckNInfo(model, request);
if (!"".equals(s_userCheckNInfo)) { if (!"".equals(s_userCheckNInfo)) {
modelAndView.addObject("result", "loginFail"); modelAndView.addObject("result", "loginFail");
@ -558,4 +561,39 @@ public class EduAplctAdultController {
return p_paginationInfo; return p_paginationInfo;
} }
/**
* XSS 방지 처리.
*
* @param data
* @return
*/
protected String unscript(String data) {
if (data == null || data.trim().equals("")) {
return "";
}
String ret = data;
ret = ret.replaceAll("<(S|s)(C|c)(R|r)(I|i)(P|p)(T|t)", "&lt;script");
ret = ret.replaceAll("</(S|s)(C|c)(R|r)(I|i)(P|p)(T|t)", "&lt;/script");
ret = ret.replaceAll("<(O|o)(B|b)(J|j)(E|e)(C|c)(T|t)", "&lt;object");
ret = ret.replaceAll("</(O|o)(B|b)(J|j)(E|e)(C|c)(T|t)", "&lt;/object");
ret = ret.replaceAll("<(A|a)(P|p)(P|p)(L|l)(E|e)(T|t)", "&lt;applet");
ret = ret.replaceAll("</(A|a)(P|p)(P|p)(L|l)(E|e)(T|t)", "&lt;/applet");
ret = ret.replaceAll("<(E|e)(M|m)(B|b)(E|e)(D|d)", "&lt;embed");
ret = ret.replaceAll("</(E|e)(M|m)(B|b)(E|e)(D|d)", "&lt;embed");
ret = ret.replaceAll("<(F|f)(O|o)(R|r)(M|m)", "&lt;form");
ret = ret.replaceAll("</(F|f)(O|o)(R|r)(M|m)", "&lt;form");
//ret = ret.replaceAll("<", "&lt;");
ret = ret.replaceAll("alert", "");
//ret = ret.replaceAll("iframe", "");
return ret;
}
} }

17
src/main/webapp/WEB-INF/jsp/oprtn/cpyrgExprnClsrm/oprtnAplctAnncmMngReg.jsp
View File

@ -488,23 +488,6 @@
</div> </div>
</div> </div>
</div> </div>
<%-- <div id="sel_date" class="sel_date">
<input type="text" class="startDate inp" title="검색시작일" id="startDate01" name="strtPnttm" onclick="return calendarOpen('startDate01-lry','',this)" value="${vEPrcsDetailVO.endPnttm}" data-datecontrol="true" readonly>
<div class="calendar_in" id="calendarName_startDate" style="z-index: 9;">
<button type="button" value="달력 팝업 열기" onclick="return calendarOpen('startDate01-lry','',this)" class="btn_cal"></button>
<div id="startDate01-lry" class="calendarPop" style="display: none;">
<iframe id="startDate01-ifrm" name="startDate01-ifrm" class="calendar-frame" src="/kccadrPb/adm/calendar.html" title=" 달력 팝업" frameborder="0" scrolling="no"></iframe>
</div>
</div> ~
<input type="text" class="endDate inp" title="검색시작일" id="endDate" name="endPnttm" onclick="return calendarOpen('endDate-lry','',this)" value="${vEPrcsDetailVO.endPnttm}" data-datecontrol="true" readonly>
<div class="calendar_in" id="calendarName_endDate" style="z-index: 9;">
<button type="button" value="달력 팝업 열기" onclick="return calendarOpen('endDate-lry','',this)" class="btn_cal" ></button>
<div id="endDate-lry" class="calendarPop" style="display: none;">
<iframe id="endDate-ifrm" name="endDate-ifrm" class="calendar-frame" src="/kccadrPb/adm/calendar.html"title=" 달력 팝업" frameborder="0" scrolling="no"></iframe>
</div>
</div>
</div> --%>
</td> </td>
</tr> </tr>

18
src/main/webapp/WEB-INF/jsp/oprtn/cpyrgExprnClsrm/oprtnAplctAnncmMngUpdate.jsp
View File

@ -476,24 +476,6 @@
</div> </div>
</div> </div>
</div> </div>
<%-- <div id="sel_date" class="sel_date">
<fmt:parseDate value='${info.strtPnttm}' var='strtPnttmDe' pattern="yyMMddHHmmss" scope="page" />
<fmt:parseDate value='${info.endPnttm}' var='endPnttmDe' pattern="yyMMddHHmmss" scope="page" />
<input type="text" value="<fmt:formatDate value="${strtPnttmDe}" pattern="yyyy-MM-dd"/>" class="startDate inp" title="검색시작일" id="startDate01" name="strtPnttm" onclick="return calendarOpen('startDate01-lry','',this)" value="${vEPrcsDetailVO.endPnttm}" data-datecontrol="true" readonly>
<div class="calendar_in" id="calendarName_startDate" style="z-index: 9;">
<button type="button" value="달력 팝업 열기" onclick="return calendarOpen('startDate01-lry','',this)" class="btn_cal"></button>
<div id="startDate01-lry" class="calendarPop" style="display: none;">
<iframe id="startDate01-ifrm" name="startDate01-ifrm" class="calendar-frame" src="/kccadrPb/adm/calendar.html" title=" 달력 팝업" frameborder="0" scrolling="no"></iframe>
</div>
</div> ~
<input type="text" value="<fmt:formatDate value="${endPnttmDe}" pattern="yyyy-MM-dd"/>" class="endDate inp" title="검색시작일" id="endDate" name="endPnttm" onclick="return calendarOpen('endDate-lry','',this)" value="${vEPrcsDetailVO.endPnttm}" data-datecontrol="true" readonly>
<div class="calendar_in" id="calendarName_endDate" style="z-index: 9;">
<button type="button" value="달력 팝업 열기" onclick="return calendarOpen('endDate-lry','',this)" class="btn_cal" ></button>
<div id="endDate-lry" class="calendarPop" style="display: none;">
<iframe id="endDate-ifrm" name="endDate-ifrm" class="calendar-frame" src="/kccadrPb/adm/calendar.html"title=" 달력 팝업" frameborder="0" scrolling="no"></iframe>
</div>
</div>
</div> --%>
</td> </td>
</tr> </tr>

16
src/main/webapp/WEB-INF/web.xml
View File

@ -131,10 +131,26 @@
<exception-type>java.lang.Throwable</exception-type> <exception-type>java.lang.Throwable</exception-type>
<location>/common/error.jsp</location> <location>/common/error.jsp</location>
</error-page> </error-page>
<error-page>
<error-code>400</error-code>
<location>/common/error.jsp</location>
</error-page>
<error-page>
<error-code>401</error-code>
<location>/common/error.jsp</location>
</error-page>
<error-page>
<error-code>403</error-code>
<location>/common/error.jsp</location>
</error-page>
<error-page> <error-page>
<error-code>404</error-code> <error-code>404</error-code>
<location>/common/error.jsp</location> <location>/common/error.jsp</location>
</error-page> </error-page>
<error-page>
<error-code>405</error-code>
<location>/common/error.jsp</location>
</error-page>
<error-page> <error-page>
<error-code>500</error-code> <error-code>500</error-code>
<location>/common/error.jsp</location> <location>/common/error.jsp</location>