From 14a693ed4ecfa5d940e518b81234d9276dbceebf Mon Sep 17 00:00:00 2001
From: rosewiper <rosehips@naver.com>
Date: Fri, 20 Oct 2023 12:50:59 +0900
Subject: [PATCH] =?UTF-8?q?=EC=B9=B4=ED=86=A1=EB=B0=9C=EC=86=A1=20>=20?=
 =?UTF-8?q?=EC=95=8C=EB=A6=BC=ED=86=A1=20=EC=84=A4=EC=A0=95=20=ED=95=98?=
 =?UTF-8?q?=EB=8B=A8=20FAQ=20=EB=82=B4=EC=9A=A9=EC=97=90=20=ED=83=9C?=
 =?UTF-8?q?=EA=B7=B8=20=EC=98=A4=EB=A5=98=20=EA=B0=9C=EC=84=A0?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../stepInfo/web/KakaoStepInfoController.java | 68 ++++++++++++++++++-
 1 file changed, 67 insertions(+), 1 deletion(-)

diff --git a/src/main/java/itn/let/kakao/user/stepInfo/web/KakaoStepInfoController.java b/src/main/java/itn/let/kakao/user/stepInfo/web/KakaoStepInfoController.java
index d85d87b5..3dd67af8 100644
--- a/src/main/java/itn/let/kakao/user/stepInfo/web/KakaoStepInfoController.java
+++ b/src/main/java/itn/let/kakao/user/stepInfo/web/KakaoStepInfoController.java
@@ -43,7 +43,7 @@ public class KakaoStepInfoController {
 	@Resource(name = "EgovFileMngService")
 	private EgovFileMngService fileService;
 	
-	
+
 	/**
 	* @Method Name : selectKaKaoStepInfo
 	* @Project : mjon
@@ -122,6 +122,25 @@ public class KakaoStepInfoController {
 		searchVO.setBbsId(boardVO.getBbsId());
 		BoardMasterVO bbsMasterInfo = bbsAttrbService.selectBBSMasterInf(searchVO);
 		
+		/**
+		 * FAQ 타이틀 및 내용에 대한 XSS 변환 태그 원복
+		 * faqUnscript() 를 이용하여 디비에 변환 태그로 되어있는 코드를 다시 원복 시킴
+		 * ret.replaceAll("&lt;", "<").replaceAll("&gt;", ">");
+		 * 
+		 * */
+		for(int i=0; i<resultList.size(); i++) {
+			
+			String nttSj = resultList.get(i).getNttSj();
+			String nttCn = resultList.get(i).getNttCn();
+			
+			nttSj = faqUnscript(nttSj);
+			nttCn = faqUnscript(nttCn);
+			
+			resultList.get(i).setNttSj(nttSj);
+			resultList.get(i).setNttCn(nttCn);
+			
+		}
+		
 		model.addAttribute("bbsMasterInfo", bbsMasterInfo);
 		model.addAttribute("resultList", resultList);
 		model.addAttribute("resultCnt", map.get("resultCnt"));
@@ -146,4 +165,51 @@ public class KakaoStepInfoController {
 		
 		return "/web/kakao/intrd/KakaoAllimtalkIntro";
 	}
+	
+	
+	/**
+	 * XSS 방지 처리.
+	 *
+	 * @param data
+	 * @return
+	 */
+	protected String faqUnscript(String data) {
+		if (data == null || data.trim().equals("")) {
+			return "";
+		}
+
+		String ret = data;
+
+		ret = ret.replaceAll("<(S|s)(C|c)(R|r)(I|i)(P|p)(T|t)", "&lt;script");
+		ret = ret.replaceAll("</(S|s)(C|c)(R|r)(I|i)(P|p)(T|t)", "&lt;/script");
+
+		ret = ret.replaceAll("<(O|o)(B|b)(J|j)(E|e)(C|c)(T|t)", "&lt;object");
+		ret = ret.replaceAll("</(O|o)(B|b)(J|j)(E|e)(C|c)(T|t)", "&lt;/object");
+
+		ret = ret.replaceAll("<(A|a)(P|p)(P|p)(L|l)(E|e)(T|t)", "&lt;applet");
+		ret = ret.replaceAll("</(A|a)(P|p)(P|p)(L|l)(E|e)(T|t)", "&lt;/applet");
+
+		ret = ret.replaceAll("<(E|e)(M|m)(B|b)(E|e)(D|d)", "&lt;embed");
+		ret = ret.replaceAll("</(E|e)(M|m)(B|b)(E|e)(D|d)", "&lt;embed");
+
+		ret = ret.replaceAll("<(F|f)(O|o)(R|r)(M|m)", "&lt;form");
+		ret = ret.replaceAll("</(F|f)(O|o)(R|r)(M|m)", "&lt;form");
+
+		//ret = ret.replaceAll("<", "&lt;");
+		//ret = ret.replaceAll(">", "&gt;");
+		ret = ret.replaceAll("alert", "");
+		ret = ret.replaceAll("iframe", "");
+		
+		ret = ret.replaceAll("&lt;", "<").replaceAll("&gt;", ">");
+		ret = ret.replaceAll("&#40;", "\\(").replaceAll("&#41;", "\\)");
+		ret = ret.replaceAll("'", "&#39;");
+		ret = ret.replaceAll("eval\\((.*)\\)", "");
+		ret = ret.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\"");
+		ret = ret.replaceAll("script", "");
+		
+		return ret;
+	}
+	
+	
+	
 }