From 7a8170976f9eb7c5b5fb960d561a71107f0e5b02 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E8=90=9D=E5=8D=9C?= Date: Sat, 14 Mar 2026 17:11:16 +0000 Subject: [PATCH] =?UTF-8?q?=E5=A5=97=E9=A4=90=E8=A1=A8=E5=8D=95=EF=BC=9A?= =?UTF-8?q?=E7=BB=9F=E4=B8=80safeBackForLinks=E6=8A=A4=E6=A0=8F=E5=8F=98?= =?UTF-8?q?=E9=87=8F=EF=BC=88=E5=8E=BB=E9=87=8D=EF=BC=89?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- resources/views/admin/plans/form.blade.php | 23 +++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/resources/views/admin/plans/form.blade.php b/resources/views/admin/plans/form.blade.php index e407d05..deba24f 100644 --- a/resources/views/admin/plans/form.blade.php +++ b/resources/views/admin/plans/form.blade.php @@ -13,17 +13,19 @@ @csrf @php - $back = (string) ($back ?? ''); - // back 作为隐藏字段用于 store 后跳转回来源页:同样需要安全护栏 - $safeBack = (str_starts_with($back, '/') - && !preg_match('/["\'<>]/', $back) - // back 本身不应再包含 back(避免无限嵌套导致 URL 膨胀) - && !preg_match('/(?:^|[?&])back=/', $back)) - ? $back + $incomingBack = (string) ($back ?? ''); + // back 安全护栏(全页通用): + // - 仅允许站内相对路径(/ 开头) + // - 拒绝引号/尖括号 + // - 拒绝 nested back=(避免 URL 膨胀/绕过) + $safeBackForLinks = (str_starts_with($incomingBack, '/') + && !preg_match('/["\'<>]/', $incomingBack) + && !preg_match('/(?:^|[?&])back=/', $incomingBack)) + ? $incomingBack : ''; @endphp - @if($safeBack !== '') - + @if($safeBackForLinks !== '') + @endif @php - $back = (string) ($back ?? ''); - $backUrl = $back !== '' ? $back : '/admin/plans'; + $backUrl = $safeBackForLinks !== '' ? $safeBackForLinks : '/admin/plans'; @endphp
{{-- back 可能包含 query(含 &),此处需原样输出,避免 Blade escape 成 & 导致回退上下文丢失。--}}