linxianzhuang/saasshop
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

refactor: 抽出 BackUrl::sanitizeForLinks 统一 back 安全护栏

Browse Source
This commit is contained in:
萝卜
2026-03-14 18:23:00 +00:00
parent 4aa44258f8
commit 3ffc87f78c
8 changed files with 44 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
resources/views/admin/platform_orders/form.blade.php
View File

@@ -137,11 +137,7 @@
// - 拒绝引号/尖括号
// - 拒绝 nested back=(避免 URL 膨胀/绕过)
// 说明:此处 href 采用原样输出以避免 & 影响回链/断言。
$safeBackForLinks = (str_starts_with($incomingBack, '/')
&& !preg_match('/["\'<>]/', $incomingBack)
&& !preg_match('/(?:^|[?&])back=/', $incomingBack))
? $incomingBack
: '';
$safeBackForLinks = \App\Support\BackUrl::sanitizeForLinks($incomingBack);
@endphp
@if($safeBackForLinks !== '')

6
resources/views/admin/platform_orders/index.blade.php
View File

@@ -22,11 +22,7 @@
// - 拒绝引号/尖括号(由于本页大量 href 采用 `{!! !!}` 原样输出,必须严控注入风险)
// - 拒绝 nested back=(避免 URL 膨胀/绕过)
$incomingBackForLinks = (string) request()->query('back', '');
$safeBackForLinks = (str_starts_with($incomingBackForLinks, '/')
&& !preg_match('/["\'<>]/', $incomingBackForLinks)
&& !preg_match('/(?:^|[?&])back=/', $incomingBackForLinks))
? $incomingBackForLinks
: '';
$safeBackForLinks = \App\Support\BackUrl::sanitizeForLinks($incomingBackForLinks);
// 金额展示:精简视图尽量更短(整数不显示 .00full 视图保持两位小数(便于对账)
$formatMoneyCompact = function ($amount) {

6
resources/views/admin/platform_orders/show.blade.php
View File

@@ -766,11 +766,7 @@
// - 拒绝引号/尖括号
// - 拒绝 nested back=(避免 URL 膨胀/绕过)
// 说明:下方 href 采用原样输出以避免 &amp; 影响断言。
$safeBackForLinks = (str_starts_with($incomingBack, '/')
&& !preg_match('/["\'<>]/', $incomingBack)
&& !preg_match('/(?:^|[?&])back=/', $incomingBack))
? $incomingBack
: '';
$safeBackForLinks = \App\Support\BackUrl::sanitizeForLinks($incomingBack);
// 若 back 指向的平台订单列表带 lead_id则在详情页也提示当前来源线索更不迷路
$leadIdFromBack = 0;