Harden admin security controls

api/categories.php

@@ -1,7 +1,7 @@
 <?php
 require_once 'config.php';
 require_once __DIR__ . '/error_config.php';
-session_start();
+start_secure_session();
 set_json_headers();
 
 define('CATEGORIES_FILE', DATA_DIR . '/categories.json');
@@ -12,7 +12,7 @@ $method = $_SERVER['REQUEST_METHOD'];
 function normalize_category($cat) {
     if (!isset($cat['parent_id'])) $cat['parent_id'] = null;
     if (!isset($cat['order'])) $cat['order'] = 0;
-    if (!isset($cat['color'])) $cat['color'] = '#00f2ff';
+    $cat['color'] = clean_css_color($cat['color'] ?? '#00f2ff');
     return $cat;
 }
 
@@ -35,6 +35,7 @@ if ($method === 'GET') {
 }
 
 require_auth();
+require_csrf();
 
 // =====================================================
 // POST: 카테고리 추가
@@ -42,7 +43,7 @@ require_auth();
 if ($method === 'POST') {
     $input = get_json_input();
     $name = trim($input['name'] ?? '');
-    $color = trim($input['color'] ?? '#00f2ff');
+    $color = clean_css_color($input['color'] ?? '#00f2ff');
     $parentId = isset($input['parent_id']) && $input['parent_id'] !== '' && $input['parent_id'] !== null
         ? intval($input['parent_id']) 
         : null;
@@ -115,7 +116,7 @@ if ($method === 'PUT') {
     foreach ($categories as $key => $cat) {
         if ($cat['id'] === $id) {
             if (isset($input['name'])) $categories[$key]['name'] = trim($input['name']);
-            if (isset($input['color'])) $categories[$key]['color'] = trim($input['color']);
+            if (isset($input['color'])) $categories[$key]['color'] = clean_css_color($input['color']);
             if (isset($input['order'])) $categories[$key]['order'] = intval($input['order']);
             // parent_id 변경은 허용하되, 자식이 있는 경우 자식으로 만들지 못하게
             if (array_key_exists('parent_id', $input)) {