From b3ff87b151e46f6ba580964c0db196dff0e02927 Mon Sep 17 00:00:00 2001
From: Hyungi Ahn <hyungiahn@Hyungiui-MacBookPro.local>
Date: Mon, 23 Mar 2026 08:22:26 +0900
Subject: [PATCH] =?UTF-8?q?fix(tkuser):=20XSS=20=EB=AF=B8=EC=9D=B4?=
 =?UTF-8?q?=EC=8A=A4=EC=BC=80=EC=9D=B4=ED=94=84=204=EA=B0=9C=EC=86=8C=20?=
 =?UTF-8?q?=EC=88=98=EC=A0=95=20=E2=80=94=20escHtml()=20=EB=88=84=EB=9D=BD?=
 =?UTF-8?q?=20=EB=B3=B4=EC=99=84?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 user-management/web/static/js/tkuser-departments.js | 4 ++--
 user-management/web/static/js/tkuser-vacations.js   | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/user-management/web/static/js/tkuser-departments.js b/user-management/web/static/js/tkuser-departments.js
index ca2bfff..8d56d33 100644
--- a/user-management/web/static/js/tkuser-departments.js
+++ b/user-management/web/static/js/tkuser-departments.js
@@ -21,7 +21,7 @@ function displayDepartments() {
     c.innerHTML = departments.map(d => `
         <div class="flex items-center justify-between p-2.5 rounded-lg hover:bg-gray-100 transition-colors cursor-pointer ${selectedDeptForMembers === d.department_id ? 'bg-blue-50 ring-1 ring-blue-200' : 'bg-gray-50'}" onclick="showDeptMembers(${d.department_id})">
             <div class="flex-1 min-w-0">
-                <div class="text-sm font-medium text-gray-800 truncate"><i class="fas fa-sitemap mr-1.5 text-gray-400 text-xs"></i>${d.department_name}</div>
+                <div class="text-sm font-medium text-gray-800 truncate"><i class="fas fa-sitemap mr-1.5 text-gray-400 text-xs"></i>${escHtml(d.department_name)}</div>
                 <div class="text-xs text-gray-500 flex items-center gap-1.5 mt-0.5 flex-wrap">
                     <span class="text-gray-400">순서: ${d.display_order || 0}</span>
                     <span class="text-gray-400">| 팀장: ${d.leader_name ? escHtml(d.leader_name) : '<span class="text-gray-300">미지정</span>'}</span>
@@ -56,7 +56,7 @@ async function showDeptMembers(deptId) {
     const members = deptUsers.filter(u => u.department_id === deptId);
     const dept = departments.find(d => d.department_id === deptId);
     const title = panel.querySelector('h3');
-    if (title) title.innerHTML = `<i class="fas fa-users text-slate-400 mr-1.5"></i>소속 인원 — ${dept ? dept.department_name : ''}`;
+    if (title) title.innerHTML = `<i class="fas fa-users text-slate-400 mr-1.5"></i>소속 인원 — ${dept ? escHtml(dept.department_name) : ''}`;
 
     if (!members.length) {
         list.innerHTML = '<p class="text-gray-400 text-center py-4 text-sm">소속 인원이 없습니다</p>';
diff --git a/user-management/web/static/js/tkuser-vacations.js b/user-management/web/static/js/tkuser-vacations.js
index 52798d9..a7d4f0c 100644
--- a/user-management/web/static/js/tkuser-vacations.js
+++ b/user-management/web/static/js/tkuser-vacations.js
@@ -65,13 +65,13 @@ function renderVacTypeSidebar() {
         <div class="group flex items-center justify-between p-2 rounded-lg ${vt.is_active ? 'bg-gray-50' : 'bg-gray-50 opacity-50'} hover:bg-blue-50 transition-colors">
             <div class="flex-1 min-w-0">
                 <div class="text-sm font-medium text-gray-800 truncate flex items-center gap-1.5">
-                    ${vt.type_name}
+                    ${escHtml(vt.type_name)}
                     ${vt.is_system ? '<span class="text-[10px] px-1 py-0.5 rounded bg-blue-50 text-blue-500">시스템</span>' : ''}
                     ${vt.is_special ? '<span class="text-[10px] px-1 py-0.5 rounded bg-purple-50 text-purple-500">특별</span>' : ''}
                     ${!vt.is_active ? '<span class="text-[10px] px-1 py-0.5 rounded bg-gray-100 text-gray-400">비활성</span>' : ''}
                 </div>
                 <div class="text-xs text-gray-400 mt-0.5">
-                    ${vt.type_code} | 차감 ${vt.deduct_days}일 | 우선순위 ${vt.priority}
+                    ${escHtml(vt.type_code)} | 차감 ${vt.deduct_days}일 | 우선순위 ${vt.priority}
                 </div>
             </div>
             <div class="flex gap-0.5 ml-1 flex-shrink-0 opacity-0 group-hover:opacity-100 transition-opacity">