diff --git a/src/main/java/itn/com/cmm/interceptor/InterceptorHandler.java b/src/main/java/itn/com/cmm/interceptor/InterceptorHandler.java index d6eb725e..d200c1cc 100644 --- a/src/main/java/itn/com/cmm/interceptor/InterceptorHandler.java +++ b/src/main/java/itn/com/cmm/interceptor/InterceptorHandler.java @@ -49,12 +49,15 @@ public class InterceptorHandler extends HandlerInterceptorAdapter{ && !name.toLowerCase().contains("info2list") && !name.toLowerCase().contains("info3list") && !name.toLowerCase().contains("info4list") + && !name.toLowerCase().contains("nttcn") ) { //파라미터 중에 URL 주소를 넘겨주는 부분이 있어서 해당 부분에것 select~, update~, delete~ 로 시작하는 주소경로가 있어서 제외처리를 하였음 String[] values = request.getParameterValues(name); //HTML 태그 관련 부분이 들어있으면 필터링 해주는 정규식 <> ~ 구문 찾아줌 - Pattern regex = Pattern.compile("<(/)?([a-zA-Z]*)(\\\\s[a-zA-Z]*=[^>]*)?(\\\\s)*(/)?>"); + //Pattern regex = Pattern.compile("<(/)?([a-zA-Z]*)(\\\\s[a-zA-Z]*=[^>]*)?(\\\\s)*(/)?>"); + //23.7.18 이지우 - XSS 필터링을 위한 정규식 수정 + Pattern regex = Pattern.compile("<[^ㄱ-ㅎㅏ-ㅣ가-힣<>]+>"); for (String value : values) { //정규식과 동일한 패턴인지 비교해준다. diff --git a/src/main/java/itn/let/cop/bbs/web/EgovBBSManageController.java b/src/main/java/itn/let/cop/bbs/web/EgovBBSManageController.java index 087de32c..7611fd4e 100644 --- a/src/main/java/itn/let/cop/bbs/web/EgovBBSManageController.java +++ b/src/main/java/itn/let/cop/bbs/web/EgovBBSManageController.java @@ -233,7 +233,8 @@ public class EgovBBSManageController { ret = ret.replaceAll("<(F|f)(O|o)(R|r)(M|m)", "<form"); ret = ret.replaceAll("", ">"); ret = ret.replaceAll("alert", ""); //ret = ret.replaceAll("iframe", ""); @@ -1815,6 +1816,18 @@ public class EgovBBSManageController { @RequestParam Map commandMap, RedirectAttributes redirectAttributes) throws Exception { + //XSS 태그 필터링 처리 + boardVO.setBbsId(unscript(boardVO.getBbsId())); + boardVO.setSeCmmnCdId(unscript(boardVO.getSeCmmnCdId())); + boardVO.setFrstRegisterId(unscript(boardVO.getFrstRegisterId())); + boardVO.setSearchBgnDe(unscript(boardVO.getSearchBgnDe())); + boardVO.setSearchEndDe(unscript(boardVO.getSearchEndDe())); + boardVO.setSearchSortCnd(unscript(boardVO.getSearchSortCnd())); + boardVO.setSearchSortOrd(unscript(boardVO.getSearchSortOrd())); + boardVO.setSearchCnd(unscript(boardVO.getSearchCnd())); + boardVO.setSearchWrd(unscript(boardVO.getSearchWrd())); + + BoardMasterVO bmVO = new BoardMasterVO(); if("".equals(boardVO.getBbsId())) { //검색에서 조회시 nttid로 마스터 조회 bmVO = bbsAttrbService.selectBbsIdByNttId(boardVO); @@ -1959,6 +1972,17 @@ public class EgovBBSManageController { @RequestParam Map commandMap, RedirectAttributes redirectAttributes) throws Exception { + //XSS 태그 필터링 처리 + boardVO.setBbsId(unscript(boardVO.getBbsId())); + boardVO.setSeCmmnCdId(unscript(boardVO.getSeCmmnCdId())); + boardVO.setFrstRegisterId(unscript(boardVO.getFrstRegisterId())); + boardVO.setSearchBgnDe(unscript(boardVO.getSearchBgnDe())); + boardVO.setSearchEndDe(unscript(boardVO.getSearchEndDe())); + boardVO.setSearchSortCnd(unscript(boardVO.getSearchSortCnd())); + boardVO.setSearchSortOrd(unscript(boardVO.getSearchSortOrd())); + boardVO.setSearchCnd(unscript(boardVO.getSearchCnd())); + boardVO.setSearchWrd(unscript(boardVO.getSearchWrd())); + BoardMasterVO bmVO = new BoardMasterVO(); //선택된 카테고리가 없는 경우 @@ -4432,6 +4456,18 @@ public class EgovBBSManageController { RedirectAttributes redirectAttributes) throws Exception { + //XSS 태그 필터링 처리 + boardVO.setBbsId(unscript(boardVO.getBbsId())); + boardVO.setSeCmmnCdId(unscript(boardVO.getSeCmmnCdId())); + boardVO.setFrstRegisterId(unscript(boardVO.getFrstRegisterId())); + boardVO.setSearchBgnDe(unscript(boardVO.getSearchBgnDe())); + boardVO.setSearchEndDe(unscript(boardVO.getSearchEndDe())); + boardVO.setSearchSortCnd(unscript(boardVO.getSearchSortCnd())); + boardVO.setSearchSortOrd(unscript(boardVO.getSearchSortOrd())); + boardVO.setSearchCnd(unscript(boardVO.getSearchCnd())); + boardVO.setSearchWrd(unscript(boardVO.getSearchWrd())); + + BoardMasterVO bmVO = new BoardMasterVO(); if("".equals(boardVO.getBbsId())) { //검색에서 조회시 nttid로 마스터 조회 bmVO = bbsAttrbService.selectBbsIdByNttId(boardVO);