diff --git a/resources/views/admin/platform_leads/index.blade.php b/resources/views/admin/platform_leads/index.blade.php
index dcdd974..70baacb 100644
--- a/resources/views/admin/platform_leads/index.blade.php
+++ b/resources/views/admin/platform_leads/index.blade.php
@@ -5,6 +5,16 @@
@section('content')
@php
+ $incomingBack = (string) request()->query('back', '');
+ // 为避免 & 被 Blade escape 成 & 导致回退上下文丢失,这里需要原样输出 href。
+ // 安全护栏:必须为站内相对路径,并拒绝引号/尖括号,且拒绝 nested back。
+ $safeBack = (str_starts_with($incomingBack, '/')
+ && !preg_match('/["\'<>]/', $incomingBack)
+ && !preg_match('/(?:^|[?&])back=/', $incomingBack))
+ ? $incomingBack
+ : '';
+
+
// back 参数用于“返回上一页(保留上下文)”,但 back 本身不应再包含 back(避免无限嵌套导致 URL 膨胀)
$currentQuery = request()->query();
unset($currentQuery['back']);
@@ -50,6 +60,12 @@
对外平台(/platform)收集的开通意向线索,用于前期 A(站点开通型)人工运营承接。
+
+ @if($safeBack)
+
+ @endif
后续会在此处逐步接入:一键生成站点/订阅/平台订单、跟进记录、转化漏斗与治理提示。
diff --git a/resources/views/admin/platform_orders/show.blade.php b/resources/views/admin/platform_orders/show.blade.php
index c18b02e..7fb0b5d 100644
--- a/resources/views/admin/platform_orders/show.blade.php
+++ b/resources/views/admin/platform_orders/show.blade.php
@@ -32,6 +32,23 @@
@endphp
这里用于运营排查:订单核心字段、关联订阅、以及订阅同步元数据(meta)。
+
+ @php
+ $platformLeadId = (int) (data_get($order->meta, 'platform_lead_id') ?? 0);
+ $leadIndexUrl = '';
+ if ($platformLeadId > 0) {
+ $leadIndexUrl = '/admin/platform-leads?' . \Illuminate\Support\Arr::query([
+ 'lead_id' => $platformLeadId,
+ 'back' => $orderShowSelf,
+ ]);
+ }
+ @endphp
+ @if($platformLeadId > 0)
+
+
来源线索:#{{ $platformLeadId }}
+
查看线索
+
+ @endif
diff --git a/tests/Feature/AdminPlatformLeadIndexBackLinkNotEscapedTest.php b/tests/Feature/AdminPlatformLeadIndexBackLinkNotEscapedTest.php
new file mode 100644
index 0000000..7c550f4
--- /dev/null
+++ b/tests/Feature/AdminPlatformLeadIndexBackLinkNotEscapedTest.php
@@ -0,0 +1,43 @@
+seed();
+
+ $this->post('/admin/login', [
+ 'email' => 'platform.admin@demo.local',
+ 'password' => 'Platform@123456',
+ ])->assertRedirect('/admin');
+ }
+
+ public function test_index_should_render_back_link_with_ampersand_not_escaped(): void
+ {
+ $this->loginAsPlatformAdmin();
+
+ $back = '/admin/platform-orders?' . Arr::query([
+ 'lead_id' => 12,
+ 'payment_status' => 'paid',
+ ]);
+
+ $url = '/admin/platform-leads?' . Arr::query([
+ 'back' => $back,
+ ]);
+
+ $res = $this->get($url);
+ $res->assertOk();
+
+ $res->assertSee('← 返回上一页(保留上下文)', false);
+ $res->assertSee('href="' . $back . '"', false);
+ $res->assertDontSee('&', false);
+ }
+}
diff --git a/tests/Feature/AdminPlatformOrderShowLeadContextLinkTest.php b/tests/Feature/AdminPlatformOrderShowLeadContextLinkTest.php
new file mode 100644
index 0000000..ee48ee0
--- /dev/null
+++ b/tests/Feature/AdminPlatformOrderShowLeadContextLinkTest.php
@@ -0,0 +1,92 @@
+seed();
+
+ $this->post('/admin/login', [
+ 'email' => 'platform.admin@demo.local',
+ 'password' => 'Platform@123456',
+ ])->assertRedirect('/admin');
+ }
+
+ public function test_show_should_render_lead_context_badge_and_view_link(): void
+ {
+ $this->loginAsPlatformAdmin();
+
+ $merchant = Merchant::query()->firstOrFail();
+
+ $plan = Plan::query()->create([
+ 'code' => 'order_show_lead_plan',
+ 'name' => '订单详情线索提示测试套餐',
+ 'billing_cycle' => 'monthly',
+ 'price' => 10,
+ 'list_price' => 10,
+ 'status' => 'active',
+ 'sort' => 10,
+ 'published_at' => now(),
+ ]);
+
+ $lead = PlatformLead::query()->create([
+ 'name' => '订单详情线索',
+ 'mobile' => '',
+ 'email' => '',
+ 'company' => '',
+ 'source' => 'test',
+ 'status' => 'new',
+ 'plan_id' => $plan->id,
+ 'meta' => ['from' => 'test'],
+ ]);
+
+ $order = PlatformOrder::query()->create([
+ 'merchant_id' => $merchant->id,
+ 'plan_id' => $plan->id,
+ 'site_subscription_id' => null,
+ 'created_by_admin_id' => 1,
+ 'order_no' => 'PO_SHOW_LEAD_0001',
+ 'order_type' => 'new_purchase',
+ 'status' => 'pending',
+ 'payment_status' => 'unpaid',
+ 'payment_channel' => null,
+ 'plan_name' => $plan->name,
+ 'billing_cycle' => $plan->billing_cycle,
+ 'period_months' => 1,
+ 'quantity' => 1,
+ 'list_amount' => 10,
+ 'discount_amount' => 0,
+ 'payable_amount' => 10,
+ 'paid_amount' => 0,
+ 'placed_at' => now(),
+ 'plan_snapshot' => ['plan_id' => $plan->id],
+ 'meta' => ['platform_lead_id' => $lead->id],
+ 'remark' => 'from lead',
+ ]);
+
+ $res = $this->get('/admin/platform-orders/' . $order->id);
+ $res->assertOk();
+
+ $res->assertSee('来源线索:#' . $lead->id, false);
+
+ $expectedLeadUrl = '/admin/platform-leads?' . Arr::query([
+ 'lead_id' => $lead->id,
+ 'back' => '/admin/platform-orders/' . $order->id,
+ ]);
+
+ $res->assertSee('href="' . $expectedLeadUrl . '"', false);
+ $res->assertSee('查看线索', false);
+ }
+}