Merge branch 'jiwoo'

src/main/java/itn/com/cmm/interceptor/InterceptorHandler.java

@@ -49,12 +49,15 @@ public class InterceptorHandler extends HandlerInterceptorAdapter{
 				&& !name.toLowerCase().contains("info2list")
 				&& !name.toLowerCase().contains("info3list")
 				&& !name.toLowerCase().contains("info4list")
+				&& !name.toLowerCase().contains("nttcn")
 			) {	
 				//파라미터 중에 URL 주소를 넘겨주는 부분이 있어서 해당 부분에것 select~, update~, delete~ 로 시작하는 주소경로가 있어서 제외처리를 하였음
 				String[] values = request.getParameterValues(name);
 				
 				//HTML 태그 관련 부분이 들어있으면 필터링 해주는 정규식 <> ~ </> 구문 찾아줌
-				Pattern regex = Pattern.compile("<(/)?([a-zA-Z]*)(\\\\s[a-zA-Z]*=[^>]*)?(\\\\s)*(/)?>");
+				//Pattern regex = Pattern.compile("<(/)?([a-zA-Z]*)(\\\\s[a-zA-Z]*=[^>]*)?(\\\\s)*(/)?>");
+				//23.7.18 이지우 - XSS 필터링을 위한 정규식 수정
+				Pattern regex = Pattern.compile("<[^ㄱ-ㅎㅏ-ㅣ가-힣<>]+>");
 				for (String value : values) {
 					
 					//정규식과 동일한 패턴인지 비교해준다.

src/main/java/itn/let/cop/bbs/web/EgovBBSManageController.java

@@ -233,7 +233,8 @@ public class EgovBBSManageController {
 		ret = ret.replaceAll("<(F|f)(O|o)(R|r)(M|m)", "&lt;form");
 		ret = ret.replaceAll("</(F|f)(O|o)(R|r)(M|m)", "&lt;form");
 
-		//ret = ret.replaceAll("<", "&lt;");
+		ret = ret.replaceAll("<", "&lt;");
+		ret = ret.replaceAll(">", "&gt;");
 		ret = ret.replaceAll("alert", "");
 		//ret = ret.replaceAll("iframe", "");
 		
@@ -1815,6 +1816,18 @@ public class EgovBBSManageController {
 			@RequestParam Map<String, Object> commandMap,
 			RedirectAttributes redirectAttributes) throws Exception {
 		
+		//XSS 태그 필터링 처리
+		boardVO.setBbsId(unscript(boardVO.getBbsId()));
+		boardVO.setSeCmmnCdId(unscript(boardVO.getSeCmmnCdId()));
+		boardVO.setFrstRegisterId(unscript(boardVO.getFrstRegisterId()));
+		boardVO.setSearchBgnDe(unscript(boardVO.getSearchBgnDe()));
+		boardVO.setSearchEndDe(unscript(boardVO.getSearchEndDe()));
+		boardVO.setSearchSortCnd(unscript(boardVO.getSearchSortCnd()));
+		boardVO.setSearchSortOrd(unscript(boardVO.getSearchSortOrd()));
+		boardVO.setSearchCnd(unscript(boardVO.getSearchCnd()));
+		boardVO.setSearchWrd(unscript(boardVO.getSearchWrd()));
+		
+		
 		BoardMasterVO bmVO = new BoardMasterVO();
 		if("".equals(boardVO.getBbsId())) { //검색에서 조회시 nttid로 마스터 조회
 			bmVO = bbsAttrbService.selectBbsIdByNttId(boardVO);
@@ -1959,6 +1972,17 @@ public class EgovBBSManageController {
 			@RequestParam Map<String, Object> commandMap,
 			RedirectAttributes redirectAttributes) throws Exception {
 		
+		//XSS 태그 필터링 처리
+		boardVO.setBbsId(unscript(boardVO.getBbsId()));
+		boardVO.setSeCmmnCdId(unscript(boardVO.getSeCmmnCdId()));
+		boardVO.setFrstRegisterId(unscript(boardVO.getFrstRegisterId()));
+		boardVO.setSearchBgnDe(unscript(boardVO.getSearchBgnDe()));
+		boardVO.setSearchEndDe(unscript(boardVO.getSearchEndDe()));
+		boardVO.setSearchSortCnd(unscript(boardVO.getSearchSortCnd()));
+		boardVO.setSearchSortOrd(unscript(boardVO.getSearchSortOrd()));
+		boardVO.setSearchCnd(unscript(boardVO.getSearchCnd()));
+		boardVO.setSearchWrd(unscript(boardVO.getSearchWrd()));
+		
 		BoardMasterVO bmVO = new BoardMasterVO();
 		
 		//선택된 카테고리가 없는 경우
@@ -4432,6 +4456,18 @@ public class EgovBBSManageController {
 			RedirectAttributes redirectAttributes) throws Exception {
 		
 		
+		//XSS 태그 필터링 처리
+		boardVO.setBbsId(unscript(boardVO.getBbsId()));
+		boardVO.setSeCmmnCdId(unscript(boardVO.getSeCmmnCdId()));
+		boardVO.setFrstRegisterId(unscript(boardVO.getFrstRegisterId()));
+		boardVO.setSearchBgnDe(unscript(boardVO.getSearchBgnDe()));
+		boardVO.setSearchEndDe(unscript(boardVO.getSearchEndDe()));
+		boardVO.setSearchSortCnd(unscript(boardVO.getSearchSortCnd()));
+		boardVO.setSearchSortOrd(unscript(boardVO.getSearchSortOrd()));
+		boardVO.setSearchCnd(unscript(boardVO.getSearchCnd()));
+		boardVO.setSearchWrd(unscript(boardVO.getSearchWrd()));
+		
+		
 		BoardMasterVO bmVO = new BoardMasterVO();
 		if("".equals(boardVO.getBbsId())) { //검색에서 조회시 nttid로 마스터 조회
 			bmVO = bbsAttrbService.selectBbsIdByNttId(boardVO);