linxianzhuang/saasshop
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

PlatformOrders: unify back sanitize via BackUrl

Browse Source
This commit is contained in:
萝卜
2026-03-14 22:45:46 +00:00
parent e378973f05
commit 2d824d29dd
1 changed files with 4 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
app/Http/Controllers/Admin/PlatformOrderController.php
View File

@@ -8,6 +8,7 @@ use App\Models\Merchant;
use App\Models\Plan; use App\Models\Plan;
use App\Models\PlatformOrder; use App\Models\PlatformOrder;
use App\Models\SiteSubscription; use App\Models\SiteSubscription;
use App\Support\BackUrl;
use App\Support\SubscriptionActivationService; use App\Support\SubscriptionActivationService;
use Illuminate\Database\Eloquent\Builder; use Illuminate\Database\Eloquent\Builder;
use Illuminate\Http\RedirectResponse; use Illuminate\Http\RedirectResponse;
@@ -47,12 +48,7 @@ class PlatformOrderController extends Controller
// back 安全阀:必须为站内相对路径,并拒绝引号/尖括号。 // back 安全阀:必须为站内相对路径,并拒绝引号/尖括号。
// 说明form 页会把 defaults.back 透传到 hidden input 与返回按钮;因此这里提前清洗,避免 unsafe back 在页面中出现。 // 说明form 页会把 defaults.back 透传到 hidden input 与返回按钮;因此这里提前清洗,避免 unsafe back 在页面中出现。
$incomingBack = (string) ($defaults['back'] ?? ''); $incomingBack = (string) ($defaults['back'] ?? '');
$defaults['back'] = (str_starts_with($incomingBack, '/') $defaults['back'] = BackUrl::sanitizeForLinks($incomingBack);
&& !preg_match('/["\'<>]/', $incomingBack)
// back 本身不应再包含 back避免无限嵌套导致 URL 膨胀)
&& !preg_match('/(?:^|[?&])back=/', $incomingBack))
? $incomingBack
: '';
$siteSubscription = null; $siteSubscription = null;
$siteSubscriptionId = (int) ($defaults['site_subscription_id'] ?? 0); $siteSubscriptionId = (int) ($defaults['site_subscription_id'] ?? 0);
@@ -153,13 +149,8 @@ class PlatformOrderController extends Controller
} }
$back = (string) ($data['back'] ?? ''); $back = (string) ($data['back'] ?? '');
// back 需为站内相对路径,并拒绝引号/尖括号,避免在后续页面以 `{!! !!}` 原样输出时引入 XSS 风险 // back 安全护栏:统一收敛到 BackUrl::sanitizeForLinks避免口径漂移
$safeBack = (str_starts_with($back, '/') $safeBack = BackUrl::sanitizeForLinks($back);
&& !preg_match('/["\'<>]/', $back)
// back 本身不应再包含 back避免无限嵌套导致 URL 膨胀)
&& !preg_match('/(?:^|[?&])back=/', $back))
? $back
: '';
$redirectUrl = '/admin/platform-orders/' . $order->id; $redirectUrl = '/admin/platform-orders/' . $order->id;
if ($safeBack !== '') { if ($safeBack !== '') {