fix(security): 전체 서비스 보안 점검 — XSS·인가·토큰·헤더·에러마스킹 일괄 수정
Phase 1 CRITICAL XSS: - marked.parse() → DOMPurify.sanitize() (system3 ai-assistant, issues-management) - toast innerHTML에 escapeHtml 적용 (system1 api-base, system3 common-header) - onclick 핸들러 → data 속성 + addEventListener (system2 issue-detail) Phase 2 HIGH 인가: - getUserBalance 본인확인 추가 (tksupport vacationController) Phase 3 HIGH 토큰+CSP: - localStorage 토큰 저장 제거 — 쿠키 전용 (7개 서비스) - unsafe-eval CSP 제거 (system1 security.js) Phase 4 MEDIUM: - nginx 보안 헤더 추가 (8개 서비스) - 500 에러 메시지 마스킹 (5개 API) - path traversal 방지 (system3 file_service.py) - cookie fallback 데드코드 제거 (4개 auth.js) - /login/form rate limiting 추가 (sso-auth) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Hyungi Ahn
@@ -196,7 +196,7 @@ function appendChatMessage(role, content, sources) {
|
||||
const contentDiv = document.createElement('div');
|
||||
if (role === 'ai' && typeof marked !== 'undefined') {
|
||||
contentDiv.className = 'text-sm prose prose-sm max-w-none';
|
||||
contentDiv.innerHTML = marked.parse(content);
|
||||
contentDiv.innerHTML = DOMPurify.sanitize(marked.parse(content));
|
||||
} else {
|
||||
contentDiv.className = 'text-sm whitespace-pre-line';
|
||||
contentDiv.textContent = content;
|
||||
|
||||
@@ -990,7 +990,7 @@ async function aiSuggestSolution() {
|
||||
const raw = data.suggestion || '';
|
||||
content.dataset.raw = raw;
|
||||
if (typeof marked !== 'undefined') {
|
||||
content.innerHTML = marked.parse(raw);
|
||||
content.innerHTML = DOMPurify.sanitize(marked.parse(raw));
|
||||
} else {
|
||||
content.textContent = raw;
|
||||
}
|
||||
@@ -1030,7 +1030,7 @@ async function aiSuggestSolutionInline(issueId) {
|
||||
const raw = data.suggestion || '';
|
||||
content.dataset.raw = raw;
|
||||
if (typeof marked !== 'undefined') {
|
||||
content.innerHTML = marked.parse(raw);
|
||||
content.innerHTML = DOMPurify.sanitize(marked.parse(raw));
|
||||
} else {
|
||||
content.textContent = raw;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user