From 153c5af8cb030e8343345a5493027d60e4fa5448 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E8=90=9D=E5=8D=9C?= <dev@saasshop.local>
Date: Sat, 14 Mar 2026 01:37:16 +0000
Subject: [PATCH] =?UTF-8?q?fix(back):=20index=20=E5=BF=AB=E6=8D=B7?=
 =?UTF-8?q?=E7=AD=9B=E9=80=89=20allUrl=20=E7=9A=84=20safeBack=20=E5=A2=9E?=
 =?UTF-8?q?=E5=BC=BA=E6=A0=A1=E9=AA=8C=EF=BC=88=E6=8B=92=E7=BB=9D=E5=BC=95?=
 =?UTF-8?q?=E5=8F=B7/=E5=B0=96=E6=8B=AC=E5=8F=B7=EF=BC=89?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 resources/views/admin/plans/index.blade.php              | 4 +++-
 resources/views/admin/platform_orders/index.blade.php    | 4 +++-
 resources/views/admin/site_subscriptions/index.blade.php | 4 +++-
 3 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/resources/views/admin/plans/index.blade.php b/resources/views/admin/plans/index.blade.php
index 425e35d..fd46f79 100644
--- a/resources/views/admin/plans/index.blade.php
+++ b/resources/views/admin/plans/index.blade.php
@@ -78,7 +78,9 @@
 
         // “全部”：清空筛选，但保留 back（用于返回来源页）
         $incomingBack = (string) request()->query('back', '');
-        $safeBack2 = str_starts_with($incomingBack, '/') ? $incomingBack : '';
+        $safeBack2 = (str_starts_with($incomingBack, '/') && !preg_match('/["\'<>]/', $incomingBack))
+            ? $incomingBack
+            : '';
         $allUrl = '/admin/plans';
         if ($safeBack2 !== '') {
             $allUrl .= '?' . \Illuminate\Support\Arr::query(['back' => $safeBack2]);
diff --git a/resources/views/admin/platform_orders/index.blade.php b/resources/views/admin/platform_orders/index.blade.php
index 99d58d0..af85605 100644
--- a/resources/views/admin/platform_orders/index.blade.php
+++ b/resources/views/admin/platform_orders/index.blade.php
@@ -113,7 +113,9 @@
 
         // “全部”：清空筛选，但保留 back（用于返回来源页）
         $incomingBack = (string) request()->query('back', '');
-        $safeBack = str_starts_with($incomingBack, '/') ? $incomingBack : '';
+        $safeBack = (str_starts_with($incomingBack, '/') && !preg_match('/["\'<>]/', $incomingBack))
+            ? $incomingBack
+            : '';
         $allUrl = '/admin/platform-orders';
         if ($safeBack !== '') {
             $allUrl .= '?' . \Illuminate\Support\Arr::query(['back' => $safeBack]);
diff --git a/resources/views/admin/site_subscriptions/index.blade.php b/resources/views/admin/site_subscriptions/index.blade.php
index 1da57f5..fa412eb 100644
--- a/resources/views/admin/site_subscriptions/index.blade.php
+++ b/resources/views/admin/site_subscriptions/index.blade.php
@@ -88,7 +88,9 @@
 
         // “全部”：清空筛选，但保留 back（用于返回来源页）
         $incomingBack = (string) request()->query('back', '');
-        $safeBack = str_starts_with($incomingBack, '/') ? $incomingBack : '';
+        $safeBack = (str_starts_with($incomingBack, '/') && !preg_match('/["\'<>]/', $incomingBack))
+            ? $incomingBack
+            : '';
         $allUrl = '/admin/site-subscriptions';
         if ($safeBack !== '') {
             $allUrl .= '?' . \Illuminate\Support\Arr::query(['back' => $safeBack]);