Merge remote-tracking branch 'TSIT/ST24PRJ-612' into develop

src/main/java/com/style24/front/biz/service/TsfCounselService.java

@@ -220,6 +220,7 @@ public class TsfCounselService {
 	 */
 	@Transactional("shopTxnManager")
 	public void createGoodsQna(Counsel counsel) {
+		counsel.setQuestContent(counsel.getQuestContent().replaceAll("(?i)script", ""));
 		counsel.setSiteCd(TscConstants.Site.STYLE24.value());
 		counsel.setCustNo(TsfSession.getInfo().getCustNo());
 		counsel.setCellPhnno(TsfSession.getInfo().getCellPhnno());

src/main/java/com/style24/front/biz/service/TsfPlanningService.java

@@ -601,6 +601,7 @@ public class TsfPlanningService {
 	public void saveEntryReply(Plan plan) {
 		int custNo = TsfSession.getInfo().getCustNo();
 		plan.setCustNo(custNo);
+		plan.setEntryVal1(plan.getEntryVal1().replaceAll("(?i)script", ""));
 		planningDao.saveEntryReply(plan);
 
 		//이미지등록

src/main/java/com/style24/front/biz/service/TsfReviewService.java

@@ -176,6 +176,8 @@ public class TsfReviewService {
 		
 		String resultStr = "SUCESS";
 		
+		review.setReviewContent(review.getReviewContent().replaceAll("(?i)script",""));
+		
 		review.setDispYn("Y");
 		review.setDelYn("N");
 		review.setConfirmYn("Y");
@@ -333,6 +335,7 @@ public class TsfReviewService {
 		review.setRegNo(TsfSession.getInfo().getCustNo());
 		review.setUpdNo(TsfSession.getInfo().getCustNo());		
 		//review.setConfirmYn("Y");
+		review.setReviewContent(review.getReviewContent().replaceAll("(?i)script",""));
 		review.setReviewGb("R");
 		reviewDao.updateMypageReview(review);
 		reviewDao.reviewAttachDelete(review);

src/main/webapp/WEB-INF/views/mob/callcenter/FaqFormMob.html

@@ -115,6 +115,10 @@
 		$('#btnFaqMore').trigger('click');
 	}
 	
+	String.prototype.unescapeHtml = function(){	//XSS변환
+		  return this.replace(/&lt;/g, "<").replace(/&gt;/g, ">");
+	};
+	
 	// FAQ 목록 콜백함수
 	var fnGetListCallback = function(result) {
 		if (result.dataList != null && result.dataList.length > 0) {
@@ -134,7 +138,7 @@
 				tag += '	</div>\n';
 				tag += '	<div class="fold_cont">\n';
 				tag += '		<div class="fold_answer">\n';
-				tag += '			<div class="answer_body">' + item.answer.escapeHtml().replace(/\n/g,'<br/>') + '</div>\n';
+				tag += '			<div class="answer_body">' + item.answer.unescapeHtml().replace(/\n/g,'<br/>') + '</div>\n';
 				tag += '		</div>\n';
 				tag += '	</div>\n';
 				tag += '</li>\n';

src/main/webapp/WEB-INF/views/mob/callcenter/NoticeFormMob.html

@@ -87,7 +87,7 @@
 				
 // 				tag += '						<span class="prod">공지</span>\n';
 				tag += '					</div>\n';
-				tag += '					<div class="lap2"><span>' + item.noticeTitle.escapeHtml() + '</span></div>\n';
+				tag += '					<div class="lap2"><span>' + item.noticeTitle.replaceAll('&lt;','<').replaceAll('&gt;', '>').replaceAll('&quot;', '"').replaceAll('&amp;nbsp;', ' ') + '</span></div>\n';
 				tag += '				</div>\n';
 				tag += '				<span class="data">' + item.regDt.toDate("YYYYMMDD").format("YYYY.MM.DD") + '</span>\n';
 				tag += '			</div>\n';

src/main/webapp/WEB-INF/views/mob/goods/GoodsDetailQnaFormMob.html

@@ -71,6 +71,10 @@
 		//$('#layer_goods_qna_reg').find('.close-modal').trigger("click");
 		gagajf.ajaxFormSubmit($('#goodsQnaForm').prop('action'), '#goodsQnaForm', fnGetListCallback);
 	}
+	
+	String.prototype.unescapeHtml = function(){
+		  return this.replace(/&lt;/g, "<").replace(/&gt;/g, ">");
+	};
 
 	var fnGetListCallback = function(result) {
 
@@ -104,7 +108,7 @@
 				}
 				tag += '						</span>\n';
 				tag += '					</div>\n';
-				tag += '					<div class="lap2"><span>' + item.questContent.escapeHtml() + '</span></div>\n';
+				tag += '					<div class="lap2"><span>' + item.questContent.unescapeHtml() + '</span></div>\n';
 				tag += '					<span class="id">'+ item.maskingCustId+'</span><span class="data">' + item.questDt + '</span>\n';
 				tag += '				</div>\n';
 				tag += '			</div>\n';
@@ -113,7 +117,7 @@
 				tag += '	<div class="fold_cont">\n';
 				tag += '		<div class="fold_detail">\n'; //문의 내용
 				tag += '			<div>\n';
-				tag += '				<p>' + item.questContent.escapeHtml() + '</p>\n';
+				tag += '				<p>' + item.questContent.unescapeHtml() + '</p>\n';
 				tag += '			</div>\n';
 				tag += '		</div>\n';
 				

src/main/webapp/WEB-INF/views/mob/mypage/MypageReviewCreateFormMob.html

@@ -524,7 +524,7 @@ $(function(){
 		 rating(reviewScore-1);
 		$("#reviewForm input[name=height]").val(reviewList.height);
 		$("#reviewForm input[name=weight]").val(reviewList.weight);
-		$("#reviewForm textarea[name=reviewContent]").val(reviewList.reviewContent.escapeHtml());
+		$("#reviewForm textarea[name=reviewContent]").val(reviewList.reviewContent.unescapeHtml());
 		if(reviewList.scoreSize == "1"){
 			$('#reviewForm input:radio[name=scoreSize]:radio[value="1"]').prop('checked', true);
 		}else if(reviewList.scoreSize == "2"){
@@ -707,6 +707,10 @@ function handleOnInput(el, maxlength) {
 			el.value = el.value.substr(0, maxlength);
 		}
 	}
+	
+String.prototype.unescapeHtml = function(){	//XSS변환
+	  return this.replace(/&lt;/g, "<").replace(/&gt;/g, ">");
+};
 </script>
 <script>
 	//210524_ 추가 : textarea focus시 outline 색상 넣는 스크립트

src/main/webapp/WEB-INF/views/mob/planning/PlanningDetailFormMob.html

@@ -533,6 +533,10 @@ let replyAttachList = [[${replyAttachList}]];
 let planCornerGoodsList = [[${planCornerGoodsList}]];
 let planCornerList = [[${planCornerList}]];
 
+String.prototype.unescapeHtml = function(){
+	  return this.replace(/&lt;/g, "<").replace(/&gt;/g, ">");
+};
+
 var ajaxReplyList = function () {
 	gagaPaging.init('searchForm', fnSearchCallback, 'paging', 10);
 	gagaPaging.load(1);
@@ -570,7 +574,7 @@ var fnSearchCallback = function (result) {
 						}
 						html += '			</div>';
 					}
-					html += '			<p>'+item.entryVal1.escapeHtml()+'</p>';
+					html += '			<p>'+item.entryVal1.unescapeHtml()+'</p>';
 					html += '		</div>';
 					html += '	</li>';
 			 });
@@ -719,7 +723,7 @@ if (notice.length>0) {
 	html += '	<div class="announce_list">';
 	html += '		<ul>';
 	$.each(notice, function(idx, item)  {
-	html += '			<li>' +item.itemVal.escapeHtml();+ '</li>';
+	html += '			<li>' +item.itemVal.unescapeHtml();+ '</li>';
 	});
 	html += '		</ul>';
 	html += '	</div>';
@@ -1187,25 +1191,25 @@ if(template.length>0){
 			html += '		</div>\n';
 			html += '		<div class="announce_list">\n';
 			html += '			<ul>\n';
-			html += '                  <li>' + couponContent[0].cpnNote0.escapeHtml(); +'</li>\n';
+			html += '                  <li>' + couponContent[0].cpnNote0.unescapeHtml(); +'</li>\n';
 			if(couponContent[0].cpnNote1 != null && couponContent[0].cpnNote1 != '')
-				html += '                  <li>' + couponContent[0].cpnNote1.escapeHtml(); +'</li>\n';
+				html += '                  <li>' + couponContent[0].cpnNote1.unescapeHtml(); +'</li>\n';
 			if(couponContent[0].cpnNote2 != null && couponContent[0].cpnNote2 != '')
-				html += '                  <li>' + couponContent[0].cpnNote2.escapeHtml(); +'</li>\n';
+				html += '                  <li>' + couponContent[0].cpnNote2.unescapeHtml(); +'</li>\n';
 			if(couponContent[0].cpnNote3 != null && couponContent[0].cpnNote3 != '')
-				html += '                  <li>' + couponContent[0].cpnNote3.escapeHtml(); +'</li>\n';
+				html += '                  <li>' + couponContent[0].cpnNote3.unescapeHtml; +'</li>\n';
 			if(couponContent[0].cpnNote4 != null && couponContent[0].cpnNote4 != '')
-				html += '                  <li>' + couponContent[0].cpnNote4.escapeHtml(); +'</li>\n';
+				html += '                  <li>' + couponContent[0].cpnNote4.unescapeHtml(); +'</li>\n';
 			if(couponContent[0].cpnNote5 != null && couponContent[0].cpnNote5 != '')
-				html += '                  <li>' + couponContent[0].cpnNote5.escapeHtml(); +'</li>\n';
+				html += '                  <li>' + couponContent[0].cpnNote5.unescapeHtml(); +'</li>\n';
 			if(couponContent[0].cpnNote6 != null && couponContent[0].cpnNote6 != '')
-				html += '                  <li>' + couponContent[0].cpnNote6.escapeHtml(); +'</li>\n';
+				html += '                  <li>' + couponContent[0].cpnNote6.unescapeHtml(); +'</li>\n';
 			if(couponContent[0].cpnNote7 != null && couponContent[0].cpnNote7 != '')
-				html += '                  <li>' + couponContent[0].cpnNote7.escapeHtml(); +'</li>\n';
+				html += '                  <li>' + couponContent[0].cpnNote7.unescapeHtml(); +'</li>\n';
 			if(couponContent[0].cpnNote8 != null && couponContent[0].cpnNote8 != '')
-				html += '                  <li>' + couponContent[0].cpnNote8.escapeHtml(); +'</li>\n';
+				html += '                  <li>' + couponContent[0].cpnNote8.unescapeHtml(); +'</li>\n';
 			if(couponContent[0].cpnNote9 != null && couponContent[0].cpnNote9 != '')
-				html += '                  <li>' + couponContent[0].cpnNote9.escapeHtml(); +'</li>\n';
+				html += '                  <li>' + couponContent[0].cpnNote9.unescapeHtml(); +'</li>\n';
 			html += '			</ul>\n';
 			html += '		</div>\n';
 			html += '	</div>\n';

src/main/webapp/WEB-INF/views/web/callcenter/FaqFormWeb.html

@@ -168,6 +168,11 @@
 		// Load data
 		gagaPaging.load(1);
 	}
+	
+	String.prototype.unescapeHtml = function(){
+		  return this.replace(/&amp;/g, "&").replace(/&lt;/g, "<").replace(/&gt;/g, ">").replace(/&quot;/g, "\"");
+	};
+	
 	var idx = 1;
 	var fnGetListCallback = function(result) {
 		$('#ulFaq').html('');
@@ -180,14 +185,14 @@
 				tag += '			<div>\n';
 				tag += '				<span class="fold_state">' + item.faqTypeNm + '</span>\n';
 				tag += '				<div class="fold_tit">\n';
-				tag += '					<span>' + item.question + '</span>\n';
+				tag += '					<span>' + item.question.unescapeHtml() + '</span>\n';
 				tag += '				</div>\n';
 				tag += '			</div>\n';
 				tag += '		</a>\n';
 				tag += '	</div>\n';
 				tag += '	<div class="fold_cont" style="display: none;">\n';
 				tag += '		<div class="fold_answer">\n';
-				tag += '			<div>' + item.answer + '</div>\n';
+				tag += '			<div>' + item.answer.replaceAll('&lt;','<').replaceAll('&gt;', '>').replaceAll('&quot;', '"').replaceAll('&amp;nbsp;', ' ') + '</div>\n';
 				tag += '		</div>\n';
 				tag += '	</div>\n';
 				tag += '</li>\n';
@@ -228,7 +233,7 @@
 		let answer = $(obj).data('answer');
 		if (!gagajf.isNull(answer)) {
 			$('#faqTypeNm').html('[' + answer.substring(0, answer.indexOf('|')) + ']');
-			$('#faqAnswer').html('<span>답변 내용은 아래와 같습니다.</span>' + answer.substring(answer.indexOf('|') + 1).escapeHtml().replace(/\n/g,'<br/>'));
+			$('#faqAnswer').html('<span>답변 내용은 아래와 같습니다.</span>' + answer.substring(answer.indexOf('|') + 1).unescapeHtml().replace(/\n/g,'<br/>'));
 		}
 	}
 	

src/main/webapp/WEB-INF/views/web/callcenter/NoticeFormWeb.html

@@ -86,12 +86,10 @@
 		gagaPaging.load(1);
 	}
 	
-	String.prototype.unescapeHtml = function(){
+	String.prototype.unescapeHtml = function(){	//XSS변환
 	  return this.replace(/&amp;/g, "&").replace(/&lt;/g, "<").replace(/&gt;/g, ">").replace(/&quot;/g, "\"");
 	};
 
-
-
 	var idx = 1;
 	var fnGetListCallback = function(result) {
 		$('#ulNotice').html('');
@@ -119,7 +117,7 @@
 				
 // 				tag += '				<span class="fold_category">공지</span>\n';
 				tag += '				<div class="fold_tit">\n';
-				tag += '					<span>' + item.noticeTitle.escapeHtml() + '</span>\n';
+				tag += '					<span>' + item.noticeTitle.unescapeHtml() + '</span>\n';
 				tag += '				</div>\n';
 				tag += '				<span class="data">' + item.regDt.toDate("YYYYMMDD").format("YYYY.MM.DD") + '</span>\n';
 				tag += '			</div>\n';

src/main/webapp/WEB-INF/views/web/goods/GoodsDetailQnaFormWeb.html

@@ -83,6 +83,10 @@
 		gagaPaging.load(1);
 	}
 	
+	String.prototype.unescapeHtml = function(){	//XSS변환
+		  return this.replace(/&lt;/g, "<").replace(/&gt;/g, ">");
+	};
+	
 	var fnGoodsQnaListCallback = function(result) {
 		$('#ulGoodsQna').html('');
 		$('#goodsQnaForm').find('.nodata').hide();
@@ -102,7 +106,7 @@
 				tag += '			<div>\n';
 				tag += '				<span class="fold_state ' + (item.ansStat == "G060_10" ? "doing" : "done") + '">' + item.ansStatNm + '</span>\n'; //답변완료 : done / 처리중 : doing
 				tag += '				<div class="fold_tit">\n';
-				tag += '					<span>' + item.questContent.escapeHtml() + '</span>\n';
+				tag += '					<span>' + item.questContent.unescapeHtml() + '</span>\n';
 				if (item.secretYn == "Y"){
 				tag += '					<i class="ico ico_secret"></i>\n';	//비밀글에 추가되는 아이콘
 				}
@@ -120,7 +124,7 @@
 				tag += '	<div class="fold_cont" style="display: none;">\n';
 				tag += '		<div class="fold_detail">\n'; //문의 내용
 				tag += '			<div>\n'; 
-				tag += '				<p>' + item.questContent.escapeHtml() + '</p>\n';
+				tag += '				<p>' + item.questContent.unescapeHtml() + '</p>\n';
 				tag += '			</div>\n';
 				tag += '		</div>\n';
 				

src/main/webapp/WEB-INF/views/web/mypage/MypageReviewCreateFormWeb.html

@@ -390,6 +390,10 @@ let photoPoint  = [[${reviewPoint.photoReviewPoint}]];
 var $starEls = $('#star button#starBtn');
 var rate = 1;
 
+String.prototype.unescapeHtml = function(){	//XSS변환
+	  return this.replace(/&lt;/g, "<").replace(/&gt;/g, ">");
+};
+
 $starEls.each(function (index, el) {
     $(el).on('click', function () {
         rating(index);
@@ -651,7 +655,7 @@ $(document).ready(function() {
 		 rating(reviewScore-1);
 		$("#reviewForm input[name=height]").val(reviewList.height);
 		$("#reviewForm input[name=weight]").val(reviewList.weight);
-		$("#reviewForm textarea[name=reviewContent]").val(reviewList.reviewContent.escapeHtml());
+		$("#reviewForm textarea[name=reviewContent]").val(reviewList.reviewContent.unescapeHtml());
 		if(reviewList.scoreSize == "1"){
 			$('#reviewForm input:radio[name=scoreSize]:radio[value="1"]').prop('checked', true);
 		}else if(reviewList.scoreSize == "2"){

src/main/webapp/WEB-INF/views/web/mypage/MypageReviewFormWeb.html

@@ -110,6 +110,10 @@
 	<script src="/ux/plugins/gaga/gaga.paging.js"></script>
 	<script th:inline="javascript">
 	let attachList = [[${alreadyReviewAttach}]];
+	
+	String.prototype.unescapeHtml = function(){	//XSS변환
+		  return this.replace(/&lt;/g, "<").replace(/&gt;/g, ">");
+	};
 	// 작성가능한 리뷰 클릭 시
 	$("#completeReview").click(function() {
 		$("#alreadyReview").removeClass("active");
@@ -337,7 +341,7 @@
 
 				}
 				html+='						<div class="txt_review_box"  id="admin_'+item.reviewSq+'">\n';
-				html+='							<p style="white-space:pre;">'+item.reviewContent.escapeHtml()+'</p>\n';
+				html+='							<p style="white-space:pre;">'+item.reviewContent.unescapeHtml()+'</p>\n';
 				html+='						</div>\n';
 
 				if (item.admRpl != null && item.admRpl != '') {
@@ -348,7 +352,7 @@
 					html+='									<span class="wr_date">'+item.admRplDt+'</span>\n';
 					html+='								</div>\n';
 					html+='								<div class="reply_txt">\n';
-					html+='									<p style="white-space:pre;">'+item.admRpl.escapeHtml()+'</p>\n';
+					html+='									<p style="white-space:pre;">'+item.admRpl.unescapeHtml()+'</p>\n';
 					html+='								</div>\n';
 					html+='							</div>\n';
 					html+='						</div>\n';

src/main/webapp/WEB-INF/views/web/planning/PlanningDetailFormWeb.html

@@ -420,6 +420,10 @@ let replyAttachList = [[${replyAttachList}]];
 let planCornerGoodsList = [[${planCornerGoodsList}]];
 let planCornerList = [[${planCornerList}]];
 
+String.prototype.unescapeHtml = function(){	//XSS변환
+	  return this.replace(/&lt;/g, "<").replace(/&gt;/g, ">");
+};
+
 if(notice.length>0){
 	$("#G082_60").show();
 	
@@ -439,7 +443,7 @@ if(notice.length>0){
 	html += '            <div class="announce_list">\n';
 	html += '                <ul>\n';
 	$.each(notice, function(idx, item)  {
-		html += '				<li>' +item.itemVal.escapeHtml();+ '</li>\n';
+		html += '				<li>' +item.itemVal.unescapeHtml();+ '</li>\n';
 	});
 	html += '                </ul>\n';
 	html += '            </div>\n';
@@ -982,25 +986,25 @@ if(template.length>0){
 			html += '            </div>\n                                                                ';
 			html += '            <div class="announce_list">\n                                           ';
 			html += '               <ul>\n';
-			html += '                  <li>' + couponContent[0].cpnNote0.escapeHtml(); +'</li>\n';
+			html += '                  <li>' + couponContent[0].cpnNote0.unescapeHtml(); +'</li>\n';
 			if(couponContent[0].cpnNote1 != null && couponContent[0].cpnNote1 != '')
-				html += '                  <li>' + couponContent[0].cpnNote1.escapeHtml(); +'</li>\n';
+				html += '                  <li>' + couponContent[0].cpnNote1.unescapeHtml(); +'</li>\n';
 			if(couponContent[0].cpnNote2 != null && couponContent[0].cpnNote2 != '')
-				html += '                  <li>' + couponContent[0].cpnNote2.escapeHtml(); +'</li>\n';
+				html += '                  <li>' + couponContent[0].cpnNote2.unescapeHtml(); +'</li>\n';
 			if(couponContent[0].cpnNote3 != null && couponContent[0].cpnNote3 != '')
-				html += '                  <li>' + couponContent[0].cpnNote3.escapeHtml(); +'</li>\n';	
+				html += '                  <li>' + couponContent[0].cpnNote3.unescapeHtml(); +'</li>\n';	
 			if(couponContent[0].cpnNote4 != null && couponContent[0].cpnNote4 != '')
-				html += '                  <li>' + couponContent[0].cpnNote4.escapeHtml(); +'</li>\n';
+				html += '                  <li>' + couponContent[0].cpnNote4.unescapeHtml(); +'</li>\n';
 			if(couponContent[0].cpnNote5 != null && couponContent[0].cpnNote5 != '')
-				html += '                  <li>' + couponContent[0].cpnNote5.escapeHtml(); +'</li>\n';
+				html += '                  <li>' + couponContent[0].cpnNote5.unescapeHtml(); +'</li>\n';
 			if(couponContent[0].cpnNote6 != null && couponContent[0].cpnNote6 != '')
-				html += '                  <li>' + couponContent[0].cpnNote6.escapeHtml();+'</li>\n';
+				html += '                  <li>' + couponContent[0].cpnNote6.unescapeHtml();+'</li>\n';
 			if(couponContent[0].cpnNote7 != null && couponContent[0].cpnNote7 != '')
-				html += '                  <li>' + couponContent[0].cpnNote7.escapeHtml(); +'</li>\n';
+				html += '                  <li>' + couponContent[0].cpnNote7.unescapeHtml(); +'</li>\n';
 			if(couponContent[0].cpnNote8 != null && couponContent[0].cpnNote8 != '')
-				html += '                  <li>' + couponContent[0].cpnNote8.escapeHtml(); +'</li>\n';
+				html += '                  <li>' + couponContent[0].cpnNote8.unescapeHtml(); +'</li>\n';
 			if(couponContent[0].cpnNote9 != null && couponContent[0].cpnNote9 != '')
-				html += '                  <li>' + couponContent[0].cpnNote9.escapeHtml(); +'</li>\n';
+				html += '                  <li>' + couponContent[0].cpnNote9.unescapeHtml(); +'</li>\n';
 			html += '               </ul>\n';
 			html += '            </div>                                                                '; 
 			html += '        </div>                                                                    '; 
@@ -1128,7 +1132,7 @@ var fnSearchCallback = function (result) {
 				 }
 				
 				 html += '			</div>\n';
-				 html += '			<p>'+item.entryVal1.escapeHtml()+'</p>\n';
+				 html += '			<p>'+item.entryVal1.unescapeHtml()+'</p>\n';
 				 if (item.entryCustNo == result.custNo) {
 					 html += '			<button class="btn btn_default btn_del" value="'+item.planEntrySq+'" onclick="fnDelReply(this.value)"><span>삭제</span></button>\n';
 				 }