From 08488257cac3ca77aefe34b2daf6fe4d22e60c7f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E8=90=9D=E5=8D=9C?= Date: Sat, 14 Mar 2026 15:42:32 +0000 Subject: [PATCH] =?UTF-8?q?=E5=A5=97=E9=A4=90=E9=A1=B5=20back=20=E5=AE=89?= =?UTF-8?q?=E5=85=A8=E6=8A=A4=E6=A0=8F=EF=BC=9A=E5=BF=AB=E6=8D=B7=E7=AD=9B?= =?UTF-8?q?=E9=80=89=E4=BB=85=E9=80=8F=E4=BC=A0=E5=AE=89=E5=85=A8=20back?= =?UTF-8?q?=EF=BC=88=E8=A1=A5=E6=B5=8B=E8=AF=95=EF=BC=89?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- resources/views/admin/plans/index.blade.php | 33 ++++++++----- ...xUnsafeBackShouldBeDroppedForLinksTest.php | 47 +++++++++++++++++++ 2 files changed, 68 insertions(+), 12 deletions(-) create mode 100644 tests/Feature/AdminPlanIndexUnsafeBackShouldBeDroppedForLinksTest.php diff --git a/resources/views/admin/plans/index.blade.php b/resources/views/admin/plans/index.blade.php index beb9d0f..729a9b7 100644 --- a/resources/views/admin/plans/index.blade.php +++ b/resources/views/admin/plans/index.blade.php @@ -54,16 +54,28 @@ @php // 快捷筛选:仅保留“上下文”字段(back/keyword),避免把其它筛选条件叠加导致空结果 - $buildQuickFilterUrl = function (array $overrides) { + // 统一的 back 安全护栏:本页大量 href 采用 `{!! !!}` 原样输出,必须严控 back 注入与 nested back。 + $incomingBack = (string) request()->query('back', ''); + $safeBackForLinks = (str_starts_with($incomingBack, '/') + && !preg_match('/["\'<>]/', $incomingBack) + // back 本身不应再包含 back(避免无限嵌套导致 URL 膨胀) + && !preg_match('/(?:^|[?&])back=/', $incomingBack)) + ? $incomingBack + : ''; + + $buildQuickFilterUrl = function (array $overrides) use ($safeBackForLinks) { $path = '/' . ltrim(request()->path(), '/'); $contextKeys = [ - 'back' => 1, 'keyword' => 1, ]; $q = array_intersect_key(request()->query(), $contextKeys); + if ($safeBackForLinks !== '') { + $q['back'] = $safeBackForLinks; + } + foreach ($overrides as $k => $v) { if ($v === null) { unset($q[$k]); @@ -79,17 +91,14 @@ return $path . '?' . \Illuminate\Support\Arr::query($q); }; - // “全部”:清空筛选,但保留 back(用于返回来源页) - $incomingBack = (string) request()->query('back', ''); - $safeBack2 = (str_starts_with($incomingBack, '/') - && !preg_match('/["\'<>]/', $incomingBack) - // back 本身不应再包含 back(避免无限嵌套导致 URL 膨胀) - && !preg_match('/(?:^|[?&])back=/', $incomingBack)) - ? $incomingBack - : ''; + // “全部”:清空筛选,但保留安全 back(用于返回来源页) $allUrl = '/admin/plans'; - if ($safeBack2 !== '') { - $allUrl .= '?' . \Illuminate\Support\Arr::query(['back' => $safeBack2]); + if ($safeBackForLinks !== '') { + $allUrl .= '?' . \Illuminate\Support\Arr::query(['back' => $safeBackForLinks]); + } + + if ($safeBackForLinks !== '') { + $allUrl .= '?' . \Illuminate\Support\Arr::query(['back' => $safeBackForLinks]); } @endphp diff --git a/tests/Feature/AdminPlanIndexUnsafeBackShouldBeDroppedForLinksTest.php b/tests/Feature/AdminPlanIndexUnsafeBackShouldBeDroppedForLinksTest.php new file mode 100644 index 0000000..056172d --- /dev/null +++ b/tests/Feature/AdminPlanIndexUnsafeBackShouldBeDroppedForLinksTest.php @@ -0,0 +1,47 @@ +seed(); + + $this->post('/admin/login', [ + 'email' => 'platform.admin@demo.local', + 'password' => 'Platform@123456', + ])->assertRedirect('/admin'); + } + + public static function invalidBackProvider(): array + { + return [ + 'contains quote' => ['/' . 'admin/plans?x="y"'], + 'contains angle bracket' => ['/admin/plans?x=