tolag3/mjon_git
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'rosewiper'

Browse Source
This commit is contained in:
rosewiper 2023-10-20 12:51:47 +09:00
commit b6bb4f694c
1 changed files with 67 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

68
src/main/java/itn/let/kakao/user/stepInfo/web/KakaoStepInfoController.java
View File

@ -43,7 +43,7 @@ public class KakaoStepInfoController {
@Resource(name = "EgovFileMngService")
private EgovFileMngService fileService;
/**
* @Method Name : selectKaKaoStepInfo
* @Project : mjon
@ -122,6 +122,25 @@ public class KakaoStepInfoController {
searchVO.setBbsId(boardVO.getBbsId());
BoardMasterVO bbsMasterInfo = bbsAttrbService.selectBBSMasterInf(searchVO);
/**
* FAQ 타이틀 내용에 대한 XSS 변환 태그 원복
* faqUnscript() 이용하여 디비에 변환 태그로 되어있는 코드를 다시 원복 시킴
* ret.replaceAll("&lt;", "<").replaceAll("&gt;", ">");
*
* */
for(int i=0; i<resultList.size(); i++) {
String nttSj = resultList.get(i).getNttSj();
String nttCn = resultList.get(i).getNttCn();
nttSj = faqUnscript(nttSj);
nttCn = faqUnscript(nttCn);
resultList.get(i).setNttSj(nttSj);
resultList.get(i).setNttCn(nttCn);
}
model.addAttribute("bbsMasterInfo", bbsMasterInfo);
model.addAttribute("resultList", resultList);
model.addAttribute("resultCnt", map.get("resultCnt"));
@ -146,4 +165,51 @@ public class KakaoStepInfoController {
return "/web/kakao/intrd/KakaoAllimtalkIntro";
}
/**
* XSS 방지 처리.
*
* @param data
* @return
*/
protected String faqUnscript(String data) {
if (data == null || data.trim().equals("")) {
return "";
}
String ret = data;
ret = ret.replaceAll("<(S|s)(C|c)(R|r)(I|i)(P|p)(T|t)", "&lt;script");
ret = ret.replaceAll("</(S|s)(C|c)(R|r)(I|i)(P|p)(T|t)", "&lt;/script");
ret = ret.replaceAll("<(O|o)(B|b)(J|j)(E|e)(C|c)(T|t)", "&lt;object");
ret = ret.replaceAll("</(O|o)(B|b)(J|j)(E|e)(C|c)(T|t)", "&lt;/object");
ret = ret.replaceAll("<(A|a)(P|p)(P|p)(L|l)(E|e)(T|t)", "&lt;applet");
ret = ret.replaceAll("</(A|a)(P|p)(P|p)(L|l)(E|e)(T|t)", "&lt;/applet");
ret = ret.replaceAll("<(E|e)(M|m)(B|b)(E|e)(D|d)", "&lt;embed");
ret = ret.replaceAll("</(E|e)(M|m)(B|b)(E|e)(D|d)", "&lt;embed");
ret = ret.replaceAll("<(F|f)(O|o)(R|r)(M|m)", "&lt;form");
ret = ret.replaceAll("</(F|f)(O|o)(R|r)(M|m)", "&lt;form");
//ret = ret.replaceAll("<", "&lt;");
//ret = ret.replaceAll(">", "&gt;");
ret = ret.replaceAll("alert", "");
ret = ret.replaceAll("iframe", "");
ret = ret.replaceAll("&lt;", "<").replaceAll("&gt;", ">");
ret = ret.replaceAll("&#40;", "\\(").replaceAll("&#41;", "\\)");
ret = ret.replaceAll("'", "&#39;");
ret = ret.replaceAll("eval\\((.*)\\)", "");
ret = ret.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\"");
ret = ret.replaceAll("script", "");
return ret;
}
}