이지우 - 웹 취약점 > 성인 교육 등록 시 XXS 방지 추가, web.xml 내 에러 페이지 종류 주가, 주석 iframe 삭제

2024-08-20 17:14:09 +09:00 · 2024-08-20 17:14:09 +09:00 · 6dabf0b731
commit 6dabf0b731
parent d66b6f4662
4 changed files with 55 additions and 36 deletions
--- a/src/main/java/kcc/ve/aplct/adultVisitEdu/eduAplct/web/EduAplctAdultController.java
+++ b/src/main/java/kcc/ve/aplct/adultVisitEdu/eduAplct/web/EduAplctAdultController.java
@ -235,7 +235,10 @@ public class EduAplctAdultController {
        
 		//로그인 처리====================================
 		//로그인 정보 가져오기
-		
+        
+		/*240820 XSS 취약점 조치*/
+    	vEEduAplctVO.setJobNm(unscript(vEEduAplctVO.getJobNm()));
+    	
        String s_userCheckNInfo = checkLoginUtil.userCheckNInfo(model, request);
 		if (!"".equals(s_userCheckNInfo))	{
 			modelAndView.addObject("result", "loginFail");
@ -558,4 +561,39 @@ public class EduAplctAdultController {
    	
    	return p_paginationInfo;
    }
+    
+	/**
+	 * XSS 방지 처리.
+	 *
+	 * @param data
+	 * @return
+	 */
+	protected String unscript(String data) {
+		if (data == null || data.trim().equals("")) {
+			return "";
+		}
+
+		String ret = data;
+
+		ret = ret.replaceAll("<(S|s)(C|c)(R|r)(I|i)(P|p)(T|t)", "&lt;script");
+		ret = ret.replaceAll("</(S|s)(C|c)(R|r)(I|i)(P|p)(T|t)", "&lt;/script");
+
+		ret = ret.replaceAll("<(O|o)(B|b)(J|j)(E|e)(C|c)(T|t)", "&lt;object");
+		ret = ret.replaceAll("</(O|o)(B|b)(J|j)(E|e)(C|c)(T|t)", "&lt;/object");
+
+		ret = ret.replaceAll("<(A|a)(P|p)(P|p)(L|l)(E|e)(T|t)", "&lt;applet");
+		ret = ret.replaceAll("</(A|a)(P|p)(P|p)(L|l)(E|e)(T|t)", "&lt;/applet");
+
+		ret = ret.replaceAll("<(E|e)(M|m)(B|b)(E|e)(D|d)", "&lt;embed");
+		ret = ret.replaceAll("</(E|e)(M|m)(B|b)(E|e)(D|d)", "&lt;embed");
+
+		ret = ret.replaceAll("<(F|f)(O|o)(R|r)(M|m)", "&lt;form");
+		ret = ret.replaceAll("</(F|f)(O|o)(R|r)(M|m)", "&lt;form");
+
+		//ret = ret.replaceAll("<", "&lt;");
+		ret = ret.replaceAll("alert", "");
+		//ret = ret.replaceAll("iframe", "");
+		
+		return ret;
+	}
 }
--- a/src/main/webapp/WEB-INF/jsp/oprtn/cpyrgExprnClsrm/oprtnAplctAnncmMngReg.jsp
+++ b/src/main/webapp/WEB-INF/jsp/oprtn/cpyrgExprnClsrm/oprtnAplctAnncmMngReg.jsp
@ -488,23 +488,6 @@
 										</div>
 								</div>
 							</div>
-	                        <%-- <div id="sel_date" class="sel_date">
-	                            <input type="text" class="startDate inp" title="검색시작일" id="startDate01" name="strtPnttm" onclick="return calendarOpen('startDate01-lry','',this)" value="${vEPrcsDetailVO.endPnttm}" data-datecontrol="true" readonly>
-	                            <div class="calendar_in" id="calendarName_startDate" style="z-index: 9;">
-	                                <button type="button" value="달력 팝업 열기" onclick="return calendarOpen('startDate01-lry','',this)" class="btn_cal"></button>
-	                                <div id="startDate01-lry" class="calendarPop" style="display: none;">
-	                                    <iframe id="startDate01-ifrm" name="startDate01-ifrm" class="calendar-frame" src="/kccadrPb/adm/calendar.html" title=" 달력 팝업" frameborder="0" scrolling="no"></iframe>
-	                                </div>
-	                            </div> ~
-	                            <input type="text" class="endDate inp" title="검색시작일" id="endDate" name="endPnttm" onclick="return calendarOpen('endDate-lry','',this)" value="${vEPrcsDetailVO.endPnttm}" data-datecontrol="true" readonly>
-	                            <div class="calendar_in" id="calendarName_endDate" style="z-index: 9;">
-	                                <button type="button" value="달력 팝업 열기" onclick="return calendarOpen('endDate-lry','',this)" class="btn_cal" ></button>
-	                                <div id="endDate-lry" class="calendarPop" style="display: none;">
-	                                    <iframe id="endDate-ifrm" name="endDate-ifrm" class="calendar-frame" src="/kccadrPb/adm/calendar.html"title=" 달력 팝업" frameborder="0" scrolling="no"></iframe>
-	                                </div>
-	                            </div>
-	                        </div> --%>
-	                        
 						</td>
 					</tr>

--- a/src/main/webapp/WEB-INF/jsp/oprtn/cpyrgExprnClsrm/oprtnAplctAnncmMngUpdate.jsp
+++ b/src/main/webapp/WEB-INF/jsp/oprtn/cpyrgExprnClsrm/oprtnAplctAnncmMngUpdate.jsp
@ -476,24 +476,6 @@
 										</div>
 								</div>
 							</div>
-	                        <%-- <div id="sel_date" class="sel_date">
-								<fmt:parseDate value='${info.strtPnttm}' var='strtPnttmDe' pattern="yyMMddHHmmss" scope="page" />
-								<fmt:parseDate value='${info.endPnttm}' var='endPnttmDe' pattern="yyMMddHHmmss" scope="page" />
-	                            <input type="text" value="<fmt:formatDate value="${strtPnttmDe}" pattern="yyyy-MM-dd"/>" class="startDate inp" title="검색시작일" id="startDate01" name="strtPnttm" onclick="return calendarOpen('startDate01-lry','',this)" value="${vEPrcsDetailVO.endPnttm}" data-datecontrol="true" readonly>
-	                            <div class="calendar_in" id="calendarName_startDate" style="z-index: 9;">
-	                                <button type="button" value="달력 팝업 열기" onclick="return calendarOpen('startDate01-lry','',this)" class="btn_cal"></button>
-	                                <div id="startDate01-lry" class="calendarPop" style="display: none;">
-	                                    <iframe id="startDate01-ifrm" name="startDate01-ifrm" class="calendar-frame" src="/kccadrPb/adm/calendar.html" title=" 달력 팝업" frameborder="0" scrolling="no"></iframe>
-	                                </div>
-	                            </div> ~
-	                            <input type="text" value="<fmt:formatDate value="${endPnttmDe}" pattern="yyyy-MM-dd"/>" class="endDate inp" title="검색시작일" id="endDate" name="endPnttm" onclick="return calendarOpen('endDate-lry','',this)" value="${vEPrcsDetailVO.endPnttm}" data-datecontrol="true" readonly>
-	                            <div class="calendar_in" id="calendarName_endDate" style="z-index: 9;">
-	                                <button type="button" value="달력 팝업 열기" onclick="return calendarOpen('endDate-lry','',this)" class="btn_cal" ></button>
-	                                <div id="endDate-lry" class="calendarPop" style="display: none;">
-	                                    <iframe id="endDate-ifrm" name="endDate-ifrm" class="calendar-frame" src="/kccadrPb/adm/calendar.html"title=" 달력 팝업" frameborder="0" scrolling="no"></iframe>
-	                                </div>
-	                            </div>
-	                        </div> --%>
 						</td>
 					</tr>

--- a/src/main/webapp/WEB-INF/web.xml
+++ b/src/main/webapp/WEB-INF/web.xml
@ -131,10 +131,26 @@
        <exception-type>java.lang.Throwable</exception-type>
        <location>/common/error.jsp</location>
    </error-page>
+    <error-page>
+        <error-code>400</error-code>
+        <location>/common/error.jsp</location>
+    </error-page>
+    <error-page>
+        <error-code>401</error-code>
+        <location>/common/error.jsp</location>
+    </error-page>
+    <error-page>
+        <error-code>403</error-code>
+        <location>/common/error.jsp</location>
+    </error-page>
    <error-page>
        <error-code>404</error-code>
        <location>/common/error.jsp</location>
    </error-page>
+    <error-page>
+        <error-code>405</error-code>
+        <location>/common/error.jsp</location>
+    </error-page>
    <error-page>
        <error-code>500</error-code>
        <location>/common/error.jsp</location>