From 8746a50f0575eb07b70bcc03ca81a9f5f3bf9087 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E8=90=9D=E5=8D=9C?= <dev@saasshop.local>
Date: Sat, 14 Mar 2026 10:24:55 +0000
Subject: [PATCH] fix(admin platform orders create): sanitize back hidden input

---
 resources/views/admin/platform_orders/form.blade.php | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/resources/views/admin/platform_orders/form.blade.php b/resources/views/admin/platform_orders/form.blade.php
index 73ec940..43b98f6 100644
--- a/resources/views/admin/platform_orders/form.blade.php
+++ b/resources/views/admin/platform_orders/form.blade.php
@@ -63,9 +63,16 @@
 
     @php
         $backVal = (string) old('back', $defaults['back'] ?? '');
+        // back 作为隐藏字段用于 store 后跳转回来源页：同样需要安全护栏
+        $backValSafe = (str_starts_with($backVal, '/')
+            && !preg_match('/["\'<>]/', $backVal)
+            // back 本身不应再包含 back（避免无限嵌套导致 URL 膨胀）
+            && !preg_match('/(?:^|[?&])back=/', $backVal))
+            ? $backVal
+            : '';
     @endphp
-    @if($backVal !== '')
-        <input type="hidden" name="back" value="{{ $backVal }}">
+    @if($backValSafe !== '')
+        <input type="hidden" name="back" value="{{ $backValSafe }}">
     @endif
 
     <label>