/**
 * Cross-site scripting (XSS) 공격을 방어하기 위해서 위험 문자열을 제거한다.
 * @param string $data
 */
function kboard_xssfilter($data)
{
    global $kboard_xssfilter_active;
    if (is_array($data)) {
        return array_map('kboard_xssfilter', $data);
    }
    if ($kboard_xssfilter_active) {
        if (!$GLOBALS['KBOARD']['HTMLPurifier'] || !$GLOBALS['KBOARD']['HTMLPurifier_Config']) {
            $HTMLPurifier_Config = HTMLPurifier_Config::createDefault();
            $HTMLPurifier_Config->set('HTML.SafeIframe', true);
            $HTMLPurifier_Config->set('URI.SafeIframeRegexp', '(.*)');
            $HTMLPurifier_Config->set('HTML.TidyLevel', 'light');
            $HTMLPurifier_Config->set('HTML.SafeObject', true);
            $HTMLPurifier_Config->set('HTML.SafeEmbed', true);
            $HTMLPurifier_Config->set('Attr.AllowedFrameTargets', array('_blank'));
            $HTMLPurifier_Config->set('Output.FlashCompat', true);
            $HTMLPurifier_Config->set('Cache.SerializerPath', WP_CONTENT_DIR . '/uploads/kboard_htmlpurifier');
            $GLOBALS['KBOARD']['HTMLPurifier_Config'] = $HTMLPurifier_Config;
            $GLOBALS['KBOARD']['HTMLPurifier'] = HTMLPurifier::getInstance();
            unset($HTMLPurifier_Config);
        }
        $data = $GLOBALS['KBOARD']['HTMLPurifier']->purify(stripslashes($data), $GLOBALS['KBOARD']['HTMLPurifier_Config']);
    }
    return kboard_safeiframe($data);
}
Beispiel #2
0
 /**
  * 게시글을 등록/수정한다.
  */
 public function execute()
 {
     $this->parent_uid = isset($_POST['parent_uid']) ? intval($_POST['parent_uid']) : 0;
     $this->member_uid = isset($_POST['member_uid']) ? intval($_POST['member_uid']) : 0;
     $this->member_display = isset($_POST['member_display']) ? kboard_xssfilter(kboard_htmlclear(trim($_POST['member_display']))) : '';
     $this->title = isset($_POST['title']) ? kboard_xssfilter(kboard_htmlclear(trim($_POST['title']))) : '';
     $this->content = isset($_POST['kboard_content']) ? kboard_safeiframe(kboard_xssfilter(trim($_POST['kboard_content']))) : '';
     $this->date = isset($_POST['date']) ? kboard_xssfilter(kboard_htmlclear(trim($_POST['date']))) : '';
     $this->category1 = isset($_POST['category1']) ? kboard_xssfilter(kboard_htmlclear(trim($_POST['category1']))) : '';
     $this->category2 = isset($_POST['category2']) ? kboard_xssfilter(kboard_htmlclear(trim($_POST['category2']))) : '';
     $this->secret = isset($_POST['secret']) ? kboard_xssfilter(kboard_htmlclear(trim($_POST['secret']))) : '';
     $this->notice = isset($_POST['notice']) ? kboard_xssfilter(kboard_htmlclear(trim($_POST['notice']))) : '';
     $this->search = isset($_POST['wordpress_search']) ? intval($this->secret && $_POST['wordpress_search'] == 1 ? '2' : $_POST['wordpress_search']) : '3';
     $this->password = isset($_POST['password']) ? kboard_xssfilter(kboard_htmlclear(trim($_POST['password']))) : '';
     if ($this->uid && $this->date) {
         // 기존게시물 업데이트
         $this->updateContent();
         $this->setThumbnail($this->uid);
         $this->update_options($this->uid);
         $this->update_attach($this->uid);
         /*
          * 게시글 수정 액션 훅 실행
          */
         do_action('kboard_document_update', $this->uid, $this->board_id);
         return $this->uid;
     } else {
         if (!$this->uid && $this->title) {
             // captcha 코드 확인
             include_once 'KBCaptcha.class.php';
             $captcha = new KBCaptcha();
             $captcha_text = isset($_POST['captcha']) ? $_POST['captcha'] : '';
             if (!$captcha->textCheck($captcha_text)) {
                 die("<script>alert('" . __('The CAPTCHA code is not valid. Please enter the CAPTCHA code.', 'kboard') . "');history.go(-1);</script>");
             }
             // 신규게시물 등록
             $uid = $this->insertContent();
             if ($uid) {
                 $this->setThumbnail($uid);
                 $this->update_options($uid);
                 $this->update_attach($uid);
                 // 게시판 설정에 알림 이메일이 설정되어 있으면 메일을 보낸다.
                 $meta = new KBoardMeta($this->board_id);
                 if ($meta->latest_alerts) {
                     /*
                      * http://www.cosmosfarm.com/threads/document/3025
                      * 메일 제목에 게시글이 등록된 게시판 이름 추가해서 보낸다.
                      */
                     $board = new KBoard();
                     $board->setID($this->board_id);
                     $url = new KBUrl();
                     include_once 'KBMail.class.php';
                     $mail = new KBMail();
                     $mail->to = explode(',', $meta->latest_alerts);
                     $mail->title = '[' . __('KBoard new document', 'kboard') . '] ' . $board->board_name . ' - ' . $this->title;
                     $mail->content = $this->content;
                     $mail->url = $url->getDocumentRedirect($uid);
                     $mail->send();
                 }
                 /*
                  * 게시글 입력 액션 훅 실행
                  */
                 do_action('kboard_document_insert', $uid, $this->board_id);
             }
             return $uid;
         }
     }
     return '';
 }
 /**
  * 댓글 정보를 입력한다.
  * @param int $parent_uid
  * @param int $user_uid
  * @param string $user_display
  * @param string $content
  * @param string $password
  */
 public function add($parent_uid, $user_uid, $user_display, $content, $password = '')
 {
     global $wpdb;
     $content_uid = $this->content_uid;
     $parent_uid = intval($parent_uid);
     $user_uid = intval($user_uid);
     $user_display = esc_sql(kboard_htmlclear(trim($user_display)));
     $content = esc_sql(kboard_safeiframe(kboard_xssfilter(trim($content))));
     $password = esc_sql(kboard_htmlclear(trim($password)));
     $created = date('YmdHis', current_time('timestamp'));
     $wpdb->query("INSERT INTO `{$wpdb->prefix}kboard_comments` (`content_uid`, `parent_uid`, `user_uid`, `user_display`, `content`, `created`, `password`) VALUE ('{$content_uid}', '{$parent_uid}', '{$user_uid}', '{$user_display}', '{$content}', '{$created}', '{$password}')");
     $insert_id = $wpdb->insert_id;
     // 댓글 숫자를 게시물에 등록한다.
     $wpdb->query("UPDATE `{$wpdb->prefix}kboard_board_content` SET `comment`=`comment`+1 WHERE `uid`='{$content_uid}'");
     // 댓글 입력 액션 훅 실행
     do_action('kboard_comments_insert', $insert_id, $content_uid);
     return $insert_id;
 }