订阅页 back 安全护栏：快捷筛选仅透传安全 back（补测试）

resources/views/admin/site_subscriptions/index.blade.php

@@ -61,19 +61,31 @@
     <div class="muted mb-10">用于运营快速定位需要处理的订阅集合（口径基于筛选条件组合）。</div>
 
     @php
-        // 快捷筛选：仅保留“上下文”字段（站点/套餐/back/关键词），避免把其它筛选条件叠加导致空结果
-        $buildQuickFilterUrl = function (array $overrides) {
+        // back 安全护栏：本页大量链接使用 `{!! !!}` 原样输出，必须严控 back 注入与 nested back。
+        $incomingBack = (string) request()->query('back', '');
+        $safeBackForLinks = (str_starts_with($incomingBack, '/')
+            && !preg_match('/["\'<>]/', $incomingBack)
+            // back 本身不应再包含 back（避免无限嵌套导致 URL 膨胀）
+            && !preg_match('/(?:^|[?&])back=/', $incomingBack))
+            ? $incomingBack
+            : '';
+
+        // 快捷筛选：仅保留“上下文”字段（站点/套餐/keyword/安全 back），避免把其它筛选条件叠加导致空结果
+        $buildQuickFilterUrl = function (array $overrides) use ($safeBackForLinks) {
             $path = '/' . ltrim(request()->path(), '/');
 
             $contextKeys = [
                 'merchant_id' => 1,
                 'plan_id' => 1,
-                'back' => 1,
                 'keyword' => 1,
             ];
 
             $q = array_intersect_key(request()->query(), $contextKeys);
 
+            if ($safeBackForLinks !== '') {
+                $q['back'] = $safeBackForLinks;
+            }
+
             foreach ($overrides as $k => $v) {
                 if ($v === null) {
                     unset($q[$k]);
@@ -89,17 +101,10 @@
             return $path . '?' . \Illuminate\Support\Arr::query($q);
         };
 
-        // “全部”：清空筛选，但保留 back（用于返回来源页）
-        $incomingBack = (string) request()->query('back', '');
-        $safeBack = (str_starts_with($incomingBack, '/')
-            && !preg_match('/["\'<>]/', $incomingBack)
-            // back 本身不应再包含 back（避免无限嵌套导致 URL 膨胀）
-            && !preg_match('/(?:^|[?&])back=/', $incomingBack))
-            ? $incomingBack
-            : '';
+        // “全部”：清空筛选，但保留安全 back（用于返回来源页）
         $allUrl = '/admin/site-subscriptions';
-        if ($safeBack !== '') {
-            $allUrl .= '?' . \Illuminate\Support\Arr::query(['back' => $safeBack]);
+        if ($safeBackForLinks !== '') {
+            $allUrl .= '?' . \Illuminate\Support\Arr::query(['back' => $safeBackForLinks]);
         }
     @endphp
 

tests/Feature/AdminSiteSubscriptionIndexUnsafeBackShouldBeDroppedForLinksTest.php

@@ -0,0 +1,47 @@
+<?php
+
+namespace Tests\Feature;
+
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use PHPUnit\Framework\Attributes\DataProvider;
+use Tests\TestCase;
+
+class AdminSiteSubscriptionIndexUnsafeBackShouldBeDroppedForLinksTest extends TestCase
+{
+    use RefreshDatabase;
+
+    protected function loginAsPlatformAdmin(): void
+    {
+        $this->seed();
+
+        $this->post('/admin/login', [
+            'email' => 'platform.admin@demo.local',
+            'password' => 'Platform@123456',
+        ])->assertRedirect('/admin');
+    }
+
+    public static function invalidBackProvider(): array
+    {
+        return [
+            'contains quote' => ['/' . 'admin/site-subscriptions?x="y"'],
+            'contains angle bracket' => ['/admin/site-subscriptions?x=<script>'],
+            'nested back param' => ['/admin/site-subscriptions?status=active&back=/admin/platform-orders'],
+            'absolute url' => ['https://evil.example.com'],
+        ];
+    }
+
+    #[DataProvider('invalidBackProvider')]
+    public function test_index_should_drop_unsafe_back_for_links(string $back): void
+    {
+        $this->loginAsPlatformAdmin();
+
+        $res = $this->get('/admin/site-subscriptions?back=' . urlencode($back));
+        $res->assertOk();
+
+        // 不应渲染 back 回退入口
+        $res->assertDontSee('返回上一页（保留上下文）');
+
+        // 快捷筛选/全部链接不应透传 unsafe back
+        $res->assertDontSee('back=' . $back, false);
+    }
+}