fix: 보안 취약점 수정 및 XSS 방지 적용

## 백엔드 보안 수정 - 하드코딩된 비밀번호 및 JWT 시크릿 폴백 제거 - SQL Injection 방지를 위한 화이트리스트 검증 추가 - 인증 미적용 API 라우트에 requireAuth 미들웨어 적용 - CSRF 보호 미들웨어 구현 (csrf.js) - 파일 업로드 보안 유틸리티 추가 (fileUploadSecurity.js) - 비밀번호 정책 검증 유틸리티 추가 (passwordValidator.js) ## 프론트엔드 XSS 방지 - api-base.js에 전역 escapeHtml() 함수 추가 - 17개 주요 JS 파일에 escapeHtml 적용: - tbm.js, daily-patrol.js, daily-work-report.js - task-management.js, workplace-status.js - equipment-detail.js, equipment-management.js - issue-detail.js, issue-report.js - vacation-common.js, worker-management.js - safety-report-list.js, nonconformity-list.js - project-management.js, workplace-management.js ## 정리 - 백업 폴더 및 빈 파일 삭제 - SECURITY_GUIDE.md 문서 추가 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-05 06:33:10 +09:00
parent 7c38c555f5
commit 36f110c90a
97 changed files with 2523 additions and 24267 deletions
--- a/web-ui/js/task-management.js
+++ b/web-ui/js/task-management.js
@@ -100,14 +100,15 @@ function renderWorkTypeTabs() {
    const count = tasks.filter(t => t.work_type_id === workType.id).length;
    const isActive = currentWorkTypeId === workType.id;

+    const safeId = parseInt(workType.id) || 0;
    tabsHtml += `
      <button class="tab-btn ${isActive ? 'active' : ''}"
-              data-work-type="${workType.id}"
-              onclick="switchWorkType(${workType.id})"
+              data-work-type="${safeId}"
+              onclick="switchWorkType(${safeId})"
              style="position: relative; padding-right: 3rem;">
        <span class="tab-icon">🔧</span>
-        ${workType.name} (${count})
-        <span onclick="event.stopPropagation(); editWorkType(${workType.id});"
+        ${escapeHtml(workType.name)} (${parseInt(count) || 0})
+        <span onclick="event.stopPropagation(); editWorkType(${safeId});"
              style="position: absolute; right: 0.5rem; padding: 0.25rem 0.5rem; opacity: 0.7; cursor: pointer; font-size: 0.75rem;"
              title="공정 수정">
          ✏️
@@ -157,35 +158,36 @@ function createTaskCard(task) {
  const statusBadge = task.is_active
    ? '<span class="badge" style="background: #dcfce7; color: #166534;">활성</span>'
    : '<span class="badge" style="background: #f3f4f6; color: #6b7280;">비활성</span>';
+  const safeTaskId = parseInt(task.task_id) || 0;

  return `
-    <div class="code-card" onclick="editTask(${task.task_id})">
+    <div class="code-card" onclick="editTask(${safeTaskId})">
      <div class="code-card-header">
-        <h3 class="code-name">${task.task_name}</h3>
+        <h3 class="code-name">${escapeHtml(task.task_name)}</h3>
        ${statusBadge}
      </div>

      <div class="code-info">
        <div class="info-item">
          <span class="info-label">소속 공정</span>
-          <span class="info-value">${task.work_type_name || '-'}</span>
+          <span class="info-value">${escapeHtml(task.work_type_name || '-')}</span>
        </div>
        ${task.category ? `
          <div class="info-item">
            <span class="info-label">카테고리</span>
-            <span class="info-value">${task.category}</span>
+            <span class="info-value">${escapeHtml(task.category)}</span>
          </div>
        ` : ''}
      </div>

      ${task.description ? `
        <div class="code-description">
-          ${task.description}
+          ${escapeHtml(task.description)}
        </div>
      ` : ''}

      <div class="code-meta">
-        <span>등록: ${formatDate(task.created_at)}</span>
+        <span>등록: ${escapeHtml(formatDate(task.created_at))}</span>
      </div>
    </div>
  `;
@@ -275,7 +277,7 @@ function populateWorkTypeSelect() {

  select.innerHTML = '<option value="">공정 선택...</option>' +
    workTypes.map(wt => `
-      <option value="${wt.id}">${wt.name}${wt.category ? ' (' + wt.category + ')' : ''}</option>
+      <option value="${escapeHtml(String(wt.id))}">${escapeHtml(wt.name)}${wt.category ? ' (' + escapeHtml(wt.category) + ')' : ''}</option>
    `).join('');
 }