From 2d10c80f2bcafc0a1ea76a58ffe09f0afd94f372 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E8=90=9D=E5=8D=9C?= Date: Sat, 14 Mar 2026 15:45:20 +0000 Subject: [PATCH] =?UTF-8?q?=E8=AE=A2=E9=98=85=E9=A1=B5=20back=20=E5=AE=89?= =?UTF-8?q?=E5=85=A8=E6=8A=A4=E6=A0=8F=EF=BC=9A=E5=BF=AB=E6=8D=B7=E7=AD=9B?= =?UTF-8?q?=E9=80=89=E4=BB=85=E9=80=8F=E4=BC=A0=E5=AE=89=E5=85=A8=20back?= =?UTF-8?q?=EF=BC=88=E8=A1=A5=E6=B5=8B=E8=AF=95=EF=BC=89?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../admin/site_subscriptions/index.blade.php | 31 +++++++----- ...xUnsafeBackShouldBeDroppedForLinksTest.php | 47 +++++++++++++++++++ 2 files changed, 65 insertions(+), 13 deletions(-) create mode 100644 tests/Feature/AdminSiteSubscriptionIndexUnsafeBackShouldBeDroppedForLinksTest.php diff --git a/resources/views/admin/site_subscriptions/index.blade.php b/resources/views/admin/site_subscriptions/index.blade.php index 97c358b..fd71f0c 100644 --- a/resources/views/admin/site_subscriptions/index.blade.php +++ b/resources/views/admin/site_subscriptions/index.blade.php @@ -61,19 +61,31 @@
用于运营快速定位需要处理的订阅集合(口径基于筛选条件组合)。
@php - // 快捷筛选:仅保留“上下文”字段(站点/套餐/back/关键词),避免把其它筛选条件叠加导致空结果 - $buildQuickFilterUrl = function (array $overrides) { + // back 安全护栏:本页大量链接使用 `{!! !!}` 原样输出,必须严控 back 注入与 nested back。 + $incomingBack = (string) request()->query('back', ''); + $safeBackForLinks = (str_starts_with($incomingBack, '/') + && !preg_match('/["\'<>]/', $incomingBack) + // back 本身不应再包含 back(避免无限嵌套导致 URL 膨胀) + && !preg_match('/(?:^|[?&])back=/', $incomingBack)) + ? $incomingBack + : ''; + + // 快捷筛选:仅保留“上下文”字段(站点/套餐/keyword/安全 back),避免把其它筛选条件叠加导致空结果 + $buildQuickFilterUrl = function (array $overrides) use ($safeBackForLinks) { $path = '/' . ltrim(request()->path(), '/'); $contextKeys = [ 'merchant_id' => 1, 'plan_id' => 1, - 'back' => 1, 'keyword' => 1, ]; $q = array_intersect_key(request()->query(), $contextKeys); + if ($safeBackForLinks !== '') { + $q['back'] = $safeBackForLinks; + } + foreach ($overrides as $k => $v) { if ($v === null) { unset($q[$k]); @@ -89,17 +101,10 @@ return $path . '?' . \Illuminate\Support\Arr::query($q); }; - // “全部”:清空筛选,但保留 back(用于返回来源页) - $incomingBack = (string) request()->query('back', ''); - $safeBack = (str_starts_with($incomingBack, '/') - && !preg_match('/["\'<>]/', $incomingBack) - // back 本身不应再包含 back(避免无限嵌套导致 URL 膨胀) - && !preg_match('/(?:^|[?&])back=/', $incomingBack)) - ? $incomingBack - : ''; + // “全部”:清空筛选,但保留安全 back(用于返回来源页) $allUrl = '/admin/site-subscriptions'; - if ($safeBack !== '') { - $allUrl .= '?' . \Illuminate\Support\Arr::query(['back' => $safeBack]); + if ($safeBackForLinks !== '') { + $allUrl .= '?' . \Illuminate\Support\Arr::query(['back' => $safeBackForLinks]); } @endphp diff --git a/tests/Feature/AdminSiteSubscriptionIndexUnsafeBackShouldBeDroppedForLinksTest.php b/tests/Feature/AdminSiteSubscriptionIndexUnsafeBackShouldBeDroppedForLinksTest.php new file mode 100644 index 0000000..a608568 --- /dev/null +++ b/tests/Feature/AdminSiteSubscriptionIndexUnsafeBackShouldBeDroppedForLinksTest.php @@ -0,0 +1,47 @@ +seed(); + + $this->post('/admin/login', [ + 'email' => 'platform.admin@demo.local', + 'password' => 'Platform@123456', + ])->assertRedirect('/admin'); + } + + public static function invalidBackProvider(): array + { + return [ + 'contains quote' => ['/' . 'admin/site-subscriptions?x="y"'], + 'contains angle bracket' => ['/admin/site-subscriptions?x=