whdwo798/myProfile
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Harden admin security controls

Browse Source
This commit is contained in:
jongjae
2026-05-31 22:23:51 +09:00
parent b27968e5a7
commit ae72b4c739
14 changed files with 378 additions and 136 deletions
Download Patch File Download Diff File Expand all files Collapse all files
api/learning.php
+22 -3
View File
@@ -1,13 +1,31 @@
<?php
require_once 'config.php';
require_once __DIR__ . '/error_config.php';
session_start();
start_secure_session();
set_json_headers();
define('LEARNING_FILE', DATA_DIR . '/learning.json');
$method = $_SERVER['REQUEST_METHOD'];
function clean_learning_content($content) {
$content = is_string($content) ? trim($content) : '';
$content = preg_replace_callback('/\]\(([^)]+)\)/', function($m) {
$url = trim($m[1]);
return is_safe_public_url($url) ? '](' . $url . ')' : '](#)';
}, $content);
$content = preg_replace_callback('/@video(\[[^\]]*\])?\(([^)]+)\)/', function($m) {
$attrs = $m[1] ?? '';
$url = trim($m[2]);
return is_safe_public_url($url) ? '@video' . $attrs . '(' . $url . ')' : '';
}, $content);
$content = preg_replace_callback('/\{color:([^}]+)\}([\s\S]+?)\{\/color\}/', function($m) {
$color = clean_css_color($m[1], '');
return $color === '' ? $m[2] : '{color:' . $color . '}' . $m[2] . '{/color}';
}, $content);
return $content;
}
// =====================================================
// GET: 학습 일지 목록 또는 단일 글 (인증 불필요)
// =====================================================
@@ -63,6 +81,7 @@ if ($method === 'GET') {
}
require_auth();
require_csrf();
// =====================================================
// POST: 새 학습 일지 작성
@@ -71,7 +90,7 @@ if ($method === 'POST') {
$input = get_json_input();
$title = trim($input['title'] ?? '');
$content = trim($input['content'] ?? '');
$content = clean_learning_content($input['content'] ?? '');
$categoryId = intval($input['category_id'] ?? 0);
if (empty($title) || empty($content)) {
@@ -170,7 +189,7 @@ if ($method === 'PUT') {
$learnings[$key]['title'] = $title;
}
if (isset($input['content'])) {
$content = trim($input['content']);
$content = clean_learning_content($input['content']);
if ($content === '') json_response(['error' => '내용은 비울 수 없습니다'], 400);
$learnings[$key]['content'] = $content;
}