linxianzhuang/saasshop
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Platform order form: use BackUrl::sanitizeForLinks for back

Browse Source
This commit is contained in:
萝卜
2026-03-14 23:19:07 +00:00
parent 328cc46b8a
commit 9a94ad3195
1 changed files with 3 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
resources/views/admin/platform_orders/form.blade.php
View File

@@ -11,11 +11,7 @@
@php
$leadId = (int) old('lead_id', $defaults['lead_id'] ?? 0);
$incomingBackForLead = (string) ($defaults['back'] ?? '');
$leadBack = (str_starts_with($incomingBackForLead, '/')
&& !preg_match('/["\'<>]/', $incomingBackForLead)
&& !preg_match('/(?:^|[?&])back=/', $incomingBackForLead))
? $incomingBackForLead
: '';
$leadBack = \App\Support\BackUrl::sanitizeForLinks($incomingBackForLead);
$viewLeadOrdersQuery = [
'lead_id' => $leadId,
@@ -63,13 +59,8 @@
@php
$backVal = (string) old('back', $defaults['back'] ?? '');
// back 作为隐藏字段用于 store 后跳转回来源页:同样需要安全护栏
$backValSafe = (str_starts_with($backVal, '/')
&& !preg_match('/["\'<>]/', $backVal)
// back 本身不应再包含 back避免无限嵌套导致 URL 膨胀)
&& !preg_match('/(?:^|[?&])back=/', $backVal))
? $backVal
: '';
// back 作为隐藏字段用于 store 后跳转回来源页:同样需要安全护栏(统一口径)
$backValSafe = \App\Support\BackUrl::sanitizeForLinks($backVal);
@endphp
@if($backValSafe !== '')
<input type="hidden" name="back" value="{{ $backValSafe }}">