Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
E
em
Overview
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
ichikawa
em
Commits
b74f259b
Commit
b74f259b
authored
May 09, 2024
by
Kim Gyeongeun
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
#58990 #1. SQL インジェクションの影響を受ける可能性がある
#58991 #2. XSS(反射型)の影響を受ける可能性がある
parent
f6ca2aaf
Hide whitespace changes
Inline
Side-by-side
Showing
8 changed files
with
57 additions
and
49 deletions
+57
-49
src/main/java/jp/agentec/sinaburocast/service/MemberService.java
+10
-4
src/main/webapp/WEB-INF/view/admin/member/memberConfirm.html
+10
-9
src/main/webapp/WEB-INF/view/admin/member/memberEdit.html
+7
-7
src/main/webapp/WEB-INF/view/admin/member/memberInput.html
+6
-6
src/main/webapp/WEB-INF/view/admin/member/memberInputConfirm.html
+8
-7
src/main/webapp/WEB-INF/view/admin/member/memberSearch.html
+1
-1
src/main/webapp/WEB-INF/view/admin/setting/adminRegist.html
+5
-5
src/main/webapp/WEB-INF/view/admin/setting/adminRegistConfirm.html
+10
-10
No files found.
src/main/java/jp/agentec/sinaburocast/service/MemberService.java
View file @
b74f259b
...
...
@@ -9,6 +9,7 @@ import javax.mail.MessagingException;
import
org.apache.commons.collections.CollectionUtils
;
import
org.apache.commons.lang.RandomStringUtils
;
import
org.seasar.extension.jdbc.AutoSelect
;
import
org.seasar.extension.jdbc.where.ComplexWhere
;
import
org.seasar.extension.jdbc.where.SimpleWhere
;
import
org.seasar.framework.beans.util.BeanMap
;
import
org.seasar.framework.beans.util.Beans
;
...
...
@@ -93,10 +94,15 @@ public class MemberService extends AbstractService<Member> {
*/
public
List
<
Member
>
findByEmail
(
String
email
)
{
//入力されたemailでsub_pc_email,main_pc_emailともに検索する。
return
jdbcManager
.
from
(
Member
.
class
).
where
(
" '"
+
email
+
"' in (sub_pc_email,main_pc_email) and del_flg = ? and valid_flg = ? "
,
Integer
.
parseInt
(
SinaburoConstant
.
DelFlg
.
NOT_DEL
)
,
SinaburoConstant
.
ValidFlg
.
VALID
).
getResultList
();
// return jdbcManager.from(Member.class).where(" '"+email+"' in (sub_pc_email,main_pc_email) and del_flg = ? and valid_flg = ? "
// ,Integer.parseInt(SinaburoConstant.DelFlg.NOT_DEL)
// ,SinaburoConstant.ValidFlg.VALID
// ).getResultList();
// 脆弱性対応
return
select
().
where
(
new
SimpleWhere
().
eq
(
"delFlg"
,
SinaburoConstant
.
DelFlg
.
NOT_DEL
).
eq
(
"validFlg"
,
SinaburoConstant
.
ValidFlg
.
VALID
),
new
ComplexWhere
().
eq
(
"mainPcEmail"
,
email
)
.
or
()
.
eq
(
"subPcEmail"
,
email
)).
getResultList
();
}
...
...
src/main/webapp/WEB-INF/view/admin/member/memberConfirm.html
View file @
b74f259b
...
...
@@ -111,10 +111,11 @@
<tr>
<td>
生年月日
</td>
<td>
#if($!memberEditForm.birthdayY+$!memberEditForm.birthdayM+$!memberEditForm.birthdayD.length() != 0)
$!memberEditForm.birthdayY年$!memberEditForm.birthdayM月$!memberEditForm.birthdayD日
#else 未選択
#end
#set($yyyymmdd = $!memberEditForm.birthdayY + $!memberEditForm.birthdayM + $!memberEditForm.birthdayD)
#if($yyyymmdd.length() != 0)
#he($!memberEditForm.birthdayY)年#he($!memberEditForm.birthdayM)月#he($!memberEditForm.birthdayD)日
#else 未選択
#end
</td>
</tr>
<tr>
...
...
@@ -123,12 +124,12 @@
</tr>
<tr>
<td>
ポイント
</td>
<td>
$!escape.html
($!memberEditForm.point)
<td>
#he
($!memberEditForm.point)
</td>
</tr>
<tr
style=
"vertical-align:top"
>
<td
style=
"vertical-align:top"
>
メモ
</td>
<td>
$!escape.html
($!memberEditForm.memo)
<td>
#he
($!memberEditForm.memo)
</td>
</tr>
...
...
@@ -140,9 +141,9 @@
</div>
##
</div>
#makeToken()
<input
type=
"hidden"
name=
"loginIdBefore"
value=
"$!memberEditForm.loginIdBefore"
>
<input
type=
"hidden"
name=
"mainPcEmailBefore"
value=
"$!memberEditForm.mainPcEmailBefore"
>
<input
type=
"hidden"
name=
"subPcEmailBefore"
value=
"$!memberEditForm.subPcEmailBefore"
>
<input
type=
"hidden"
name=
"loginIdBefore"
value=
'#he("$!{memberEditForm.loginIdBefore}")'
>
<input
type=
"hidden"
name=
"mainPcEmailBefore"
value=
'#he("$!{memberEditForm.mainPcEmailBefore}")'
>
<input
type=
"hidden"
name=
"subPcEmailBefore"
value=
'#he("$!{memberEditForm.subPcEmailBefore}")'
>
</form>
</div>
</div>
...
...
src/main/webapp/WEB-INF/view/admin/member/memberEdit.html
View file @
b74f259b
...
...
@@ -242,14 +242,14 @@
</tr>
<tr>
<td>
ポイント
<font
class=
"listpoint"
>
*
</font></td>
<td><input
name=
"point"
type=
"text"
/
class=
"w250"
value=
"$!escape.html($!memberEditForm.point)"
>
<td><input
name=
"point"
type=
"text"
/
class=
"w250"
value=
'#he("$!{memberEditForm.point}")'
>
<BR>
$!tools.getMsg("point")
</td>
</tr>
<tr>
<td
style=
"vertical-align:top"
>
メモ
</td>
<td>
<textarea
name=
"memo"
cols=
"35"
rows=
"5"
class=
"w180 mgt5"
>
$!memberEditForm.memo
</textarea>
<textarea
name=
"memo"
cols=
"35"
rows=
"5"
class=
"w180 mgt5"
>
#he($!memberEditForm.memo)
</textarea>
<BR>
$!tools.getMsg("memo")
</td>
</tr>
...
...
@@ -267,11 +267,11 @@
</div>
##
</div>
#makeToken()
<input
type=
"hidden"
name=
"loginIdBefore"
value=
"$!memberEditForm.loginIdBefore"
>
<input
type=
"hidden"
name=
"mainPcEmailBefore"
value=
"$!memberEditForm.mainPcEmailBefore"
>
<input
type=
"hidden"
name=
"subPcEmailBefore"
value=
"$!memberEditForm.subPcEmailBefore"
>
<input
type=
"hidden"
name=
"memberId"
value=
"$!memberEditForm.memberId"
>
<input
type=
"hidden"
name=
"withDrawFlgBefore"
value=
"$!memberEditForm.withDrawFlgBefore"
>
<input
type=
"hidden"
name=
"loginIdBefore"
value=
'#he("$!{memberEditForm.loginIdBefore}")'
>
<input
type=
"hidden"
name=
"mainPcEmailBefore"
value=
'#he("$!{memberEditForm.mainPcEmailBefore}")'
>
<input
type=
"hidden"
name=
"subPcEmailBefore"
value=
'#he("$!{memberEditForm.subPcEmailBefore}")'
>
<input
type=
"hidden"
name=
"memberId"
value=
'#he("$!{memberEditForm.memberId}")'
>
<input
type=
"hidden"
name=
"withDrawFlgBefore"
value=
'#he("$!{memberEditForm.withDrawFlgBefore}")'
>
</form>
</div>
...
...
src/main/webapp/WEB-INF/view/admin/member/memberInput.html
View file @
b74f259b
...
...
@@ -220,14 +220,14 @@
##
</tr>
<tr>
<td>
ポイント
<font
class=
"listpoint"
>
*
</font></td>
<td><input
name=
"point"
type=
"text"
/
class=
"w250"
value=
"$!escape.html($!memberEditForm.point)"
>
<td><input
name=
"point"
type=
"text"
/
class=
"w250"
value=
'#he("$!{memberEditForm.point}")'
>
<BR>
$!tools.getMsg("point")
</td>
</tr>
<tr>
<td
style=
"vertical-align:top"
>
メモ
</td>
<td>
<textarea
name=
"memo"
cols=
"35"
rows=
"5"
class=
"w180 mgt5"
>
$!memberEditForm.memo
</textarea>
<textarea
name=
"memo"
cols=
"35"
rows=
"5"
class=
"w180 mgt5"
>
#he($!memberEditForm.memo)
</textarea>
<BR>
$!tools.getMsg("memo")
</td>
</tr>
...
...
@@ -242,10 +242,10 @@
<button
class=
"button"
onclick=
"send_check(); return false;"
>
入力情報確認
</button>
</div>
##
</div>
<input
type=
"hidden"
name=
"loginIdBefore"
value=
"$!memberEditForm.loginIdBefore"
>
<input
type=
"hidden"
name=
"mainPcEmailBefore"
value=
"$!memberEditForm.mainPcEmailBefore"
>
<input
type=
"hidden"
name=
"subPcEmailBefore"
value=
"$!memberEditForm.subPcEmailBefore"
>
<input
type=
"hidden"
name=
"memberId"
value=
"$!memberEditForm.memberId"
>
<input
type=
"hidden"
name=
"loginIdBefore"
value=
'#he("$!{memberEditForm.loginIdBefore}")'
>
<input
type=
"hidden"
name=
"mainPcEmailBefore"
value=
'#he("$!{memberEditForm.mainPcEmailBefore}")'
>
<input
type=
"hidden"
name=
"subPcEmailBefore"
value=
'#he("$!{memberEditForm.subPcEmailBefore}")'
>
<input
type=
"hidden"
name=
"memberId"
value=
'#he("$!{memberEditForm.memberId}")'
>
</form>
</div>
...
...
src/main/webapp/WEB-INF/view/admin/member/memberInputConfirm.html
View file @
b74f259b
...
...
@@ -106,8 +106,9 @@
<tr>
<td
style=
"vertical-align:top"
>
生年月日
</td>
<td>
#if($!memberEditForm.birthdayY+$!memberEditForm.birthdayM+$!memberEditForm.birthdayD.length() != 0)
$!memberEditForm.birthdayY年$!memberEditForm.birthdayM月$!memberEditForm.birthdayD日
#set($yyyymmdd = $!memberEditForm.birthdayY + $!memberEditForm.birthdayM + $!memberEditForm.birthdayD)
#if($yyyymmdd.length() != 0)
#he($!memberEditForm.birthdayY)年#he($!memberEditForm.birthdayM)月#he($!memberEditForm.birthdayD)日
#else 未選択
#end
</td>
...
...
@@ -119,12 +120,12 @@
##
</tr>
<tr>
<td>
ポイント
</td>
<td>
$!escape.html
($!memberEditForm.point)
<td>
#he
($!memberEditForm.point)
</td>
</tr>
<tr>
<td
style=
"vertical-align:top"
>
メモ
</td>
<td>
$!escape.html
($!memberEditForm.memo)
<td>
#he
($!memberEditForm.memo)
</td>
</tr>
...
...
@@ -136,9 +137,9 @@
</div>
##
</div>
#makeToken()
<input
type=
"hidden"
name=
"loginIdBefore"
value=
"$!memberEditForm.loginIdBefore"
>
<input
type=
"hidden"
name=
"mainPcEmailBefore"
value=
"$!memberEditForm.mainPcEmailBefore"
>
<input
type=
"hidden"
name=
"subPcEmailBefore"
value=
"$!memberEditForm.subPcEmailBefore"
>
<input
type=
"hidden"
name=
"loginIdBefore"
value=
'#he("$!{memberEditForm.loginIdBefore}")'
>
<input
type=
"hidden"
name=
"mainPcEmailBefore"
value=
'#he("$!{memberEditForm.mainPcEmailBefore}")'
>
<input
type=
"hidden"
name=
"subPcEmailBefore"
value=
'#he("$!{memberEditForm.subPcEmailBefore}")'
>
</form>
</div>
</div>
...
...
src/main/webapp/WEB-INF/view/admin/member/memberSearch.html
View file @
b74f259b
...
...
@@ -88,7 +88,7 @@ function formClear(form_obj){
<tr>
<td
class=
"w100"
>
電話
</td>
<td><input
name=
"telNo"
type=
"text"
class=
"w180 mgl10"
value=
"$!escape.html($!memberSearchForm.telNo)"
>
を含む
</td>
<td
class=
"w100"
>
性別
$!memberSearchForm.genderCd
</td>
<td
class=
"w100"
>
性別
#he($!memberSearchForm.genderCd)
</td>
<td>
<select
name=
"genderCd"
id=
"genderCd"
class=
"w100 mgl10"
>
<option
value=
""
></option>
...
...
src/main/webapp/WEB-INF/view/admin/setting/adminRegist.html
View file @
b74f259b
...
...
@@ -38,19 +38,19 @@
#end
<h3
class=
"table_title"
>
管理者情報
</h3>
<form
method=
"POST"
action=
"#q('/admin/setting/adminRegist/confirm/')"
>
<input
type=
"hidden"
name=
"clickedLoginId"
id=
"clickedLoginId"
value=
"$!clickedLoginId"
/>
<input
type=
"hidden"
name=
"clickedLoginId"
id=
"clickedLoginId"
value=
'#he("$!{clickedLoginId}")'
/>
#if($adminUserIndex)
#set($adminUser = $adminRegistForm.adminUserList.get($adminUserIndex))
#end
<input
type=
"hidden"
name=
"updateFlag"
id=
"updateFlag"
value=
"$!adminRegistForm.updateFlag"
/>
<input
type=
"hidden"
name=
"pageNo"
id=
"pageNo"
value=
"${pageNo}"
/>
<input
type=
"hidden"
name=
"updateFlag"
id=
"updateFlag"
value=
'#he("$!{adminRegistForm.updateFlag}")'
/>
<input
type=
"hidden"
name=
"pageNo"
id=
"pageNo"
value=
'#he("$!{pageNo}")'
/>
<table
border=
"0"
cellpadding=
"0"
cellspacing=
"0"
class=
"stripe2 mgb10 w840"
>
<tr>
<td
class=
"w240 t_center"
>
ログインID
<font
class=
"listpoint"
>
*
</font></td>
<td
class=
"w600 t_left"
colspan=
"2"
><input
name=
"loginId"
type=
"text"
class=
"w230"
value=
"$!escape.html($!{adminRegistForm.loginId})"
/><BR>
$tools.getMsg("loginId") $tools.getMsg("repetLoginId")
<input
name=
"adminUserId"
type=
"hidden"
value=
"$!{adminUserId}"
/>
<input
name=
"delFlg"
type=
"hidden"
value=
"$!{delFlg}"
/>
<input
name=
"adminUserId"
type=
"hidden"
value=
'#he("$!{adminUserId}")'
/>
<input
name=
"delFlg"
type=
"hidden"
value=
'#he("$!{delFlg}")'
/>
</td>
</tr>
<tr>
...
...
src/main/webapp/WEB-INF/view/admin/setting/adminRegistConfirm.html
View file @
b74f259b
...
...
@@ -39,10 +39,10 @@
<div
id=
"right_contents"
>
<h3
class=
"table_title"
>
管理者#if($!adminRegistForm.updateFlag=="update")編集#else登録#end確認
</h3>
<form
method=
"POST"
action=
"#q('/admin/setting/adminRegist/regist/')"
>
<input
type=
"hidden"
name=
"loginIdFromList"
id=
"loginIdFromList"
value=
"$!loginIdFromList"
/>
<input
type=
"hidden"
name=
"clickedLoginId"
id=
"clickedLoginId"
value=
"$!clickedLoginId"
/>
<input
type=
"hidden"
name=
"updateFlag"
id=
"updateFlag"
value=
"$!adminRegistForm.updateFlag"
/>
<input
type=
"hidden"
name=
"pageNo"
id=
"pageNo"
value=
"${pageNo}"
/>
<input
type=
"hidden"
name=
"loginIdFromList"
id=
"loginIdFromList"
value=
'#he("$!{loginIdFromList}")'
/>
<input
type=
"hidden"
name=
"clickedLoginId"
id=
"clickedLoginId"
value=
'#he("$!{clickedLoginId}")'
/>
<input
type=
"hidden"
name=
"updateFlag"
id=
"updateFlag"
value=
'#he("$!{adminRegistForm.updateFlag}")'
/>
<input
type=
"hidden"
name=
"pageNo"
id=
"pageNo"
value=
'#he("$!{pageNo}")'
/>
<table
border=
"0"
cellpadding=
"0"
cellspacing=
"0"
class=
"stripe2 mgb30 w850"
>
...
...
@@ -65,12 +65,12 @@
</tr>
##
<tr>
##
<td
class=
"w840 t_center"
colspan=
"2"
>
##
<input
type=
"hidden"
name=
"adminUserId"
value=
"$!{adminRegistForm.adminUserId}"
/>
##
<input
type=
"hidden"
name=
"loginId"
value=
"$!{adminRegistForm.loginId}"
/>
##
<input
type=
"hidden"
name=
"password"
value=
"$!{adminRegistForm.password}"
/>
##
<input
type=
"hidden"
name=
"adminUserName"
value=
"$!{adminRegistForm.adminUserName}"
/>
##
<input
type=
"hidden"
name=
"email"
value=
"$!{adminRegistForm.email}"
/>
<input
type=
"hidden"
name=
"delFlg"
value=
"$!{adminRegistForm.delFlg}"
/>
##
<input
type=
"hidden"
name=
"adminUserId"
value=
'#he("$!{adminUserId}")'
/>
##
<input
type=
"hidden"
name=
"loginId"
value=
'#he("$!{adminRegistForm.loginId}")'
/>
##
<input
type=
"hidden"
name=
"password"
value=
'#he("$!{adminRegistForm.password}")'
/>
##
<input
type=
"hidden"
name=
"adminUserName"
value=
'#he("$!{adminRegistForm.adminUserName}")'
/>
##
<input
type=
"hidden"
name=
"email"
value=
'#he("$!{adminRegistForm.email}")'
/>
<input
type=
"hidden"
name=
"delFlg"
value=
'#he("$!{adminRegistForm.delFlg}")'
/>
##
<input
type=
"button"
class=
"button"
onclick=
"back();"
value=
"戻る"
/>
<input
type=
"submit"
class=
"button"
value=
"登録"
/>
##
</td>
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment