fix(admin platform orders create): sanitize back hidden input

2026-03-14 10:24:55 +00:00
parent 0423518d34
commit 8746a50f05
1 changed files with 9 additions and 2 deletions
--- a/resources/views/admin/platform_orders/form.blade.php
+++ b/resources/views/admin/platform_orders/form.blade.php
@@ -63,9 +63,16 @@

    @php
        $backVal = (string) old('back', $defaults['back'] ?? '');
+        // back 作为隐藏字段用于 store 后跳转回来源页：同样需要安全护栏
+        $backValSafe = (str_starts_with($backVal, '/')
+            && !preg_match('/["\'<>]/', $backVal)
+            // back 本身不应再包含 back（避免无限嵌套导致 URL 膨胀）
+            && !preg_match('/(?:^|[?&])back=/', $backVal))
+            ? $backVal
+            : '';
    @endphp
-    @if($backVal !== '')
-        <input type="hidden" name="back" value="{{ $backVal }}">
+    @if($backValSafe !== '')
+        <input type="hidden" name="back" value="{{ $backValSafe }}">
    @endif

    <label>