refactor: 抽出 BackUrl::sanitizeForLinks 统一 back 安全护栏

2026-03-14 18:23:00 +00:00
parent 4aa44258f8
commit 3ffc87f78c
8 changed files with 44 additions and 36 deletions
--- a/resources/views/admin/plans/form.blade.php
+++ b/resources/views/admin/plans/form.blade.php
@@ -18,11 +18,7 @@
        // - 仅允许站内相对路径（/ 开头）
        // - 拒绝引号/尖括号
        // - 拒绝 nested back=（避免 URL 膨胀/绕过）
-        $safeBackForLinks = (str_starts_with($incomingBack, '/')
-            && !preg_match('/["\'<>]/', $incomingBack)
-            && !preg_match('/(?:^|[?&])back=/', $incomingBack))
-            ? $incomingBack
-            : '';
+        $safeBackForLinks = \App\Support\BackUrl::sanitizeForLinks($incomingBack);
    @endphp
    @if($safeBackForLinks !== '')
        <input type="hidden" name="back" value="{{ $safeBackForLinks }}">