From 2afe7dc8b740d4f980a69180046942461e74db2c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E8=90=9D=E5=8D=9C?= Date: Sat, 14 Mar 2026 10:15:04 +0000 Subject: [PATCH] fix(admin platform orders form): escape regex and block nested back --- resources/views/admin/platform_orders/form.blade.php | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/resources/views/admin/platform_orders/form.blade.php b/resources/views/admin/platform_orders/form.blade.php index d613e28..73ec940 100644 --- a/resources/views/admin/platform_orders/form.blade.php +++ b/resources/views/admin/platform_orders/form.blade.php @@ -127,7 +127,10 @@ $incomingBack = (string) ($defaults['back'] ?? ''); // 为避免 & 被 Blade escape 成 & 导致回退上下文丢失,这里需要原样输出 href。 // 安全护栏:必须为站内相对路径,并拒绝引号/尖括号,降低 XSS 风险。 - $safeBack = (str_starts_with($incomingBack, '/') && !preg_match('/["\'<>]/', $incomingBack)) + $safeBack = (str_starts_with($incomingBack, '/') + && !preg_match('/["\'<>]/', $incomingBack) + // back 本身不应再包含 back(避免无限嵌套导致 URL 膨胀) + && !preg_match('/(?:^|[?&])back=/', $incomingBack)) ? $incomingBack : ''; @endphp