<% String test="<><>"; %> <%! //È®ÀåÀÚ °Ë»ç //$filename: ÆÄÀϸí //$avaext: Çã¿ëÇÒ È®ÀåÀÚ ¿¹)$avaext="jpg,gif,pdf" //¸®ÅÏ°ª: true-"ok", false-"error" String checkext(String fileName, String avaExt){ String chkExt = "false"; if(fileName.indexOf("\0")>-1) { chkExt= "false"; return chkExt; } //¾÷·Îµå ±ÝÁö È­ÀåÀÚ Ã¼Å© String file_ext = fileName.substring(fileName.lastIndexOf('.')+1); if(( file_ext.equalsIgnoreCase("jsp") || file_ext.equalsIgnoreCase("htm") || file_ext.equalsIgnoreCase("html") )){ //out.println("¾÷·Îµå ±ÝÁö È®ÀåÀÚ"); chkExt="false"; return chkExt; } //Çã¿ë È®ÀåÀÚ°¡ ¼³Á¤µÈ °æ¿ì if(!avaExt.equals("")){ //°ø¹é Á¦°Å avaExt.replaceAll(" ",""); String compStr[] = avaExt.split(","); for(int i=0; i < compStr.length; i++){ if(file_ext.equalsIgnoreCase(compStr[i])){ chkExt = "true"; } } } else{ chkExt = "true"; } return chkExt; } //´Ù¿î·Îµå °æ·Î üũ ÇÔ¼ö //$dn_dir-´Ù¿î·Îµå µð·ºÅ丮 °æ·Î //$fname-´Ù¿î·Îµå ÆÄÀϸí //¸®ÅÏ - true:´Ù¿î·Îµå ÆÄÀÏ °æ·Î, false:"error" String checkpath(String dn_path, String fname){ //ÀԷµǴ µð·ºÅ丮¸í¿¡¼­ Ư¼ö¹®ÀÚ À¯¹« °Ë»ç if((dn_path.indexOf("..\\")!=-1) || (dn_path.indexOf("../")!=-1)){ return "error"; } if((fname.indexOf("../") != -1) || (fname.indexOf("..%2F") != -1) || (fname.indexOf("./") != -1)) { return "error"; } //»ç¿ëÀÚ ÀԷ°ªÀ¸·Î ´Ù¿î·Îµå ÆÄÀÏ °æ·Î »ý¼º if(dn_path.equals("")){ } else{ dn_path=dn_path+"/"; } String origfile = dn_path+fname; //fname¿¡¼­ ÆÄÀÏ¸í¸¸ ºÐ¸®-ÆÄÀÏ¸í¿¡ °ø°Ý À§Ç輺 ¹®ÀÚ ÇÊÅ͸µ //fname.replaceAll("\\","/"); //String filename3 = fname.substring(fname.lastIndexOf('/')+1); //fname.replaceAll("\\","/");°¡ »ç¿ëÇÒ ¼ö ¾ø´Â °æ¿ì ¾Æ·¡ String filename4=fname.substring(fname.lastIndexOf('\\')+1); //ºÐ¸®ÇÑ ÆÄÀϸí°ú Àý´ë °æ·Î¸¦ À籸¼º String FilePath = dn_path + filename4; //»ç¿ëÀÚ ÀԷ°ª°ú À籸¼ºÇÑ ÀԷ°ªÀ» ºñ±³ÇÏ¿© °ø°Ý À§Ç輺ÀÌ Á¸ÀçÇÏ´ÂÁö È®ÀÎ if(origfile.equals(FilePath)){ return (FilePath); } else{ return "error"; } } //XSS ÇÊÅÍ ÇÔ¼ö //$str-ÇÊÅ͸µÇÒ Ãâ·Â°ª //$avatag-Çã¿ëÇÒ Å±׸®½ºÆ® ¿¹) $avatag="p,br" String clearXSS(String str, String avatag){ if(str==null || str.trim().equals("")){ return avatag; } //XSS¸·±â str=str.replaceAll("\0"," "); str=str.replaceAll("%00",""); //SQL Injection¸·±â str=str.replaceAll("'","''"); str=str.replaceAll("\"","\"\""); //str=str.replaceAll("\\","\\\\"); //str=str.replaceAll(";",""); str=str.replaceAll("#",""); str=str.replaceAll("--",""); //str=str.replaceAll(" ",""); //str=str.replaceAll("or",""); str=str.replaceAll("%27",""); //XSS¸·±â str=str.replaceAll("<","<"); str=str.replaceAll(">",">"); /*Çã¿ëÇÒ Å±׸¦ ÁöÁ¤ÇÒ °æ¿ì(¹Ì¿Ï¼º) if(!avatag.equals("")){ avatag.replaceAll(" ",""); String[] st= avatag.split(","); //Çã¿ëÇÒ Å±׸¦ Á¸Àç ¿©ºÎ¸¦ °Ë»çÇÏ¿© ¿ø»óÅ·Πº¯È¯ for(int x=0; x","<"+str+">"); str=str.replaceAll("</"+str+" ","