fix: 보안 취약점 수정 및 XSS 방지 적용

## 백엔드 보안 수정 - 하드코딩된 비밀번호 및 JWT 시크릿 폴백 제거 - SQL Injection 방지를 위한 화이트리스트 검증 추가 - 인증 미적용 API 라우트에 requireAuth 미들웨어 적용 - CSRF 보호 미들웨어 구현 (csrf.js) - 파일 업로드 보안 유틸리티 추가 (fileUploadSecurity.js) - 비밀번호 정책 검증 유틸리티 추가 (passwordValidator.js) ## 프론트엔드 XSS 방지 - api-base.js에 전역 escapeHtml() 함수 추가 - 17개 주요 JS 파일에 escapeHtml 적용: - tbm.js, daily-patrol.js, daily-work-report.js - task-management.js, workplace-status.js - equipment-detail.js, equipment-management.js - issue-detail.js, issue-report.js - vacation-common.js, worker-management.js - safety-report-list.js, nonconformity-list.js - project-management.js, workplace-management.js ## 정리 - 백업 폴더 및 빈 파일 삭제 - SECURITY_GUIDE.md 문서 추가 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-05 06:33:10 +09:00
parent 7c38c555f5
commit 36f110c90a
97 changed files with 2523 additions and 24267 deletions
--- a/web-ui/js/workplace-status.js
+++ b/web-ui/js/workplace-status.js
@@ -442,15 +442,15 @@ function renderCurrentTasks(workers) {
    html += `
      <div class="current-task-item">
        <div class="task-info">
-          <p class="task-name">${worker.task_name}</p>
+          <p class="task-name">${escapeHtml(worker.task_name)}</p>
          <p class="task-detail">
-            ${worker.work_location ? `📍 ${worker.work_location}` : ''}
-            ${worker.project_name ? ` • 📁 ${worker.project_name}` : ''}
+            ${worker.work_location ? `📍 ${escapeHtml(worker.work_location)}` : ''}
+            ${worker.project_name ? ` • 📁 ${escapeHtml(worker.project_name)}` : ''}
          </p>
        </div>
        <div class="task-badge">
          <span>👷</span>
-          <span>${worker.member_count}명</span>
+          <span>${parseInt(worker.member_count) || 0}명</span>
        </div>
      </div>
    `;
@@ -481,7 +481,7 @@ async function loadEquipmentStatus(workplaceId) {
          <div class="equipment-item">
            <span class="equipment-icon">⚙️</span>
            <div class="equipment-info">
-              <p class="equipment-name">${eq.equipment_name}</p>
+              <p class="equipment-name">${escapeHtml(eq.equipment_name)}</p>
              <p class="equipment-status ${statusClass}">${statusText}</p>
            </div>
          </div>
@@ -516,11 +516,11 @@ function renderWorkersTab(workers) {
    html += `
      <div class="worker-item">
        <div class="worker-item-header">
-          <p class="worker-item-title">${worker.task_name}</p>
-          <span class="worker-item-badge">${worker.member_count}명</span>
+          <p class="worker-item-title">${escapeHtml(worker.task_name)}</p>
+          <span class="worker-item-badge">${parseInt(worker.member_count) || 0}명</span>
        </div>
-        ${worker.work_location ? `<p class="worker-item-detail">📍 ${worker.work_location}</p>` : ''}
-        ${worker.project_name ? `<p class="worker-item-detail">📁 ${worker.project_name}</p>` : ''}
+        ${worker.work_location ? `<p class="worker-item-detail">📍 ${escapeHtml(worker.work_location)}</p>` : ''}
+        ${worker.project_name ? `<p class="worker-item-detail">📁 ${escapeHtml(worker.project_name)}</p>` : ''}
      </div>
    `;
  });
@@ -544,11 +544,11 @@ function renderVisitorsTab(visitors) {
    html += `
      <div class="visitor-item">
        <div class="visitor-item-header">
-          <p class="visitor-item-title">${visitor.visitor_company}</p>
-          <span class="visitor-item-badge">${visitor.visitor_count}명 • ${statusText}</span>
+          <p class="visitor-item-title">${escapeHtml(visitor.visitor_company)}</p>
+          <span class="visitor-item-badge">${parseInt(visitor.visitor_count) || 0}명 • ${statusText}</span>
        </div>
-        <p class="visitor-item-detail">⏰ ${visitor.visit_time}</p>
-        <p class="visitor-item-detail">📋 ${visitor.purpose_name}</p>
+        <p class="visitor-item-detail">⏰ ${escapeHtml(visitor.visit_time)}</p>
+        <p class="visitor-item-detail">📋 ${escapeHtml(visitor.purpose_name)}</p>
      </div>
    `;
  });