fix(tkuser): XSS 미이스케이프 4개소 수정 — escHtml() 누락 보완

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-23 08:22:26 +09:00
parent 36391c02e1
commit b3ff87b151
2 changed files with 4 additions and 4 deletions
--- a/user-management/web/static/js/tkuser-departments.js
+++ b/user-management/web/static/js/tkuser-departments.js
@@ -21,7 +21,7 @@ function displayDepartments() {
    c.innerHTML = departments.map(d => `
        <div class="flex items-center justify-between p-2.5 rounded-lg hover:bg-gray-100 transition-colors cursor-pointer ${selectedDeptForMembers === d.department_id ? 'bg-blue-50 ring-1 ring-blue-200' : 'bg-gray-50'}" onclick="showDeptMembers(${d.department_id})">
            <div class="flex-1 min-w-0">
-                <div class="text-sm font-medium text-gray-800 truncate"><i class="fas fa-sitemap mr-1.5 text-gray-400 text-xs"></i>${d.department_name}</div>
+                <div class="text-sm font-medium text-gray-800 truncate"><i class="fas fa-sitemap mr-1.5 text-gray-400 text-xs"></i>${escHtml(d.department_name)}</div>
                <div class="text-xs text-gray-500 flex items-center gap-1.5 mt-0.5 flex-wrap">
                    <span class="text-gray-400">순서: ${d.display_order || 0}</span>
                    <span class="text-gray-400">| 팀장: ${d.leader_name ? escHtml(d.leader_name) : '<span class="text-gray-300">미지정</span>'}</span>
@@ -56,7 +56,7 @@ async function showDeptMembers(deptId) {
    const members = deptUsers.filter(u => u.department_id === deptId);
    const dept = departments.find(d => d.department_id === deptId);
    const title = panel.querySelector('h3');
-    if (title) title.innerHTML = `<i class="fas fa-users text-slate-400 mr-1.5"></i>소속 인원 — ${dept ? dept.department_name : ''}`;
+    if (title) title.innerHTML = `<i class="fas fa-users text-slate-400 mr-1.5"></i>소속 인원 — ${dept ? escHtml(dept.department_name) : ''}`;

    if (!members.length) {
        list.innerHTML = '<p class="text-gray-400 text-center py-4 text-sm">소속 인원이 없습니다</p>';
--- a/user-management/web/static/js/tkuser-vacations.js
+++ b/user-management/web/static/js/tkuser-vacations.js
@@ -65,13 +65,13 @@ function renderVacTypeSidebar() {
        <div class="group flex items-center justify-between p-2 rounded-lg ${vt.is_active ? 'bg-gray-50' : 'bg-gray-50 opacity-50'} hover:bg-blue-50 transition-colors">
            <div class="flex-1 min-w-0">
                <div class="text-sm font-medium text-gray-800 truncate flex items-center gap-1.5">
-                    ${vt.type_name}
+                    ${escHtml(vt.type_name)}
                    ${vt.is_system ? '<span class="text-[10px] px-1 py-0.5 rounded bg-blue-50 text-blue-500">시스템</span>' : ''}
                    ${vt.is_special ? '<span class="text-[10px] px-1 py-0.5 rounded bg-purple-50 text-purple-500">특별</span>' : ''}
                    ${!vt.is_active ? '<span class="text-[10px] px-1 py-0.5 rounded bg-gray-100 text-gray-400">비활성</span>' : ''}
                </div>
                <div class="text-xs text-gray-400 mt-0.5">
-                    ${vt.type_code} | 차감 ${vt.deduct_days}일 | 우선순위 ${vt.priority}
+                    ${escHtml(vt.type_code)} | 차감 ${vt.deduct_days}일 | 우선순위 ${vt.priority}
                </div>
            </div>
            <div class="flex gap-0.5 ml-1 flex-shrink-0 opacity-0 group-hover:opacity-100 transition-opacity">