From 18c44f3a1cf59dcb528ef7b8ac4c10f39aadefe9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=EA=B9=80=EB=B3=B4=EA=B3=A4?=
 <lightone2017@codebridge-x.com>
Date: Wed, 4 Mar 2026 14:21:07 +0900
Subject: [PATCH] =?UTF-8?q?fix:=20[approval]=20=EA=B2=B0=EC=9E=AC=EC=84=A0?=
 =?UTF-8?q?=20=EC=9A=94=EC=95=BD=20=EC=B9=B4=EB=93=9C=20XSS=20=EB=B0=A9?=
 =?UTF-8?q?=EC=96=B4=20=EC=B6=94=EA=B0=80?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- updateApprovalLineSummary의 innerHTML에 escapeHtml 함수 적용
- user_name, position, stepLabel 출력 시 HTML 이스케이프 처리
---
 resources/views/approvals/create.blade.php | 13 ++++++++++---
 resources/views/approvals/edit.blade.php   | 13 ++++++++++---
 2 files changed, 20 insertions(+), 6 deletions(-)

diff --git a/resources/views/approvals/create.blade.php b/resources/views/approvals/create.blade.php
index e772f874..3f759d55 100644
--- a/resources/views/approvals/create.blade.php
+++ b/resources/views/approvals/create.blade.php
@@ -172,6 +172,13 @@ class="px-6 py-2 bg-blue-600 hover:bg-blue-700 text-white rounded-lg text-sm fon
 const formBodyTemplates = @json($forms->pluck('body_template', 'id'));
 const linesData = @json($lines);
 
+function escapeHtml(str) {
+    if (!str) return '';
+    const div = document.createElement('div');
+    div.appendChild(document.createTextNode(str));
+    return div.innerHTML;
+}
+
 function toggleEditor() {
     const useEditor = document.getElementById('useEditor').checked;
     const textarea = document.getElementById('body');
@@ -274,9 +281,9 @@ function updateApprovalLineSummary() {
 
         cards.push(
             '<div class="step-card text-center px-3 py-2 rounded-lg border ' + bg + '" data-index="' + i + '" style="min-width: 72px;">' +
-            '<div class="text-xs font-medium ' + labelColor + '">' + stepLabel + '</div>' +
-            (position ? '<div class="text-xs text-gray-400 mt-0.5">' + position + '</div>' : '') +
-            '<div class="text-sm font-semibold text-gray-800 mt-0.5">' + s.user_name + '</div>' +
+            '<div class="text-xs font-medium ' + labelColor + '">' + escapeHtml(stepLabel) + '</div>' +
+            (position ? '<div class="text-xs text-gray-400 mt-0.5">' + escapeHtml(position) + '</div>' : '') +
+            '<div class="text-sm font-semibold text-gray-800 mt-0.5">' + escapeHtml(s.user_name) + '</div>' +
             '</div>'
         );
     });
diff --git a/resources/views/approvals/edit.blade.php b/resources/views/approvals/edit.blade.php
index d9fc7515..fed2e480 100644
--- a/resources/views/approvals/edit.blade.php
+++ b/resources/views/approvals/edit.blade.php
@@ -206,6 +206,13 @@ class="px-6 py-2 bg-blue-600 hover:bg-blue-700 text-white rounded-lg text-sm fon
 const formBodyTemplates = @json($forms->pluck('body_template', 'id'));
 const linesData = @json($lines);
 
+function escapeHtml(str) {
+    if (!str) return '';
+    const div = document.createElement('div');
+    div.appendChild(document.createTextNode(str));
+    return div.innerHTML;
+}
+
 function toggleEditor() {
     const useEditor = document.getElementById('useEditor').checked;
     const textarea = document.getElementById('body');
@@ -308,9 +315,9 @@ function updateApprovalLineSummary() {
 
         cards.push(
             '<div class="step-card text-center px-3 py-2 rounded-lg border ' + bg + '" data-index="' + i + '" style="min-width: 72px;">' +
-            '<div class="text-xs font-medium ' + labelColor + '">' + stepLabel + '</div>' +
-            (position ? '<div class="text-xs text-gray-400 mt-0.5">' + position + '</div>' : '') +
-            '<div class="text-sm font-semibold text-gray-800 mt-0.5">' + s.user_name + '</div>' +
+            '<div class="text-xs font-medium ' + labelColor + '">' + escapeHtml(stepLabel) + '</div>' +
+            (position ? '<div class="text-xs text-gray-400 mt-0.5">' + escapeHtml(position) + '</div>' : '') +
+            '<div class="text-sm font-semibold text-gray-800 mt-0.5">' + escapeHtml(s.user_name) + '</div>' +
             '</div>'
         );
     });