From 9a94ad31954d24775d669a40f074aa0cd0408699 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E8=90=9D=E5=8D=9C?= <dev@saasshop.local>
Date: Sat, 14 Mar 2026 23:19:07 +0000
Subject: [PATCH] Platform order form: use BackUrl::sanitizeForLinks for back

---
 .../views/admin/platform_orders/form.blade.php    | 15 +++------------
 1 file changed, 3 insertions(+), 12 deletions(-)

diff --git a/resources/views/admin/platform_orders/form.blade.php b/resources/views/admin/platform_orders/form.blade.php
index 768b0e9..ac6e84c 100644
--- a/resources/views/admin/platform_orders/form.blade.php
+++ b/resources/views/admin/platform_orders/form.blade.php
@@ -11,11 +11,7 @@
     @php
         $leadId = (int) old('lead_id', $defaults['lead_id'] ?? 0);
         $incomingBackForLead = (string) ($defaults['back'] ?? '');
-        $leadBack = (str_starts_with($incomingBackForLead, '/')
-            && !preg_match('/["\'<>]/', $incomingBackForLead)
-            && !preg_match('/(?:^|[?&])back=/', $incomingBackForLead))
-            ? $incomingBackForLead
-            : '';
+        $leadBack = \App\Support\BackUrl::sanitizeForLinks($incomingBackForLead);
 
         $viewLeadOrdersQuery = [
             'lead_id' => $leadId,
@@ -63,13 +59,8 @@
 
     @php
         $backVal = (string) old('back', $defaults['back'] ?? '');
-        // back 作为隐藏字段用于 store 后跳转回来源页：同样需要安全护栏
-        $backValSafe = (str_starts_with($backVal, '/')
-            && !preg_match('/["\'<>]/', $backVal)
-            // back 本身不应再包含 back（避免无限嵌套导致 URL 膨胀）
-            && !preg_match('/(?:^|[?&])back=/', $backVal))
-            ? $backVal
-            : '';
+        // back 作为隐藏字段用于 store 后跳转回来源页：同样需要安全护栏（统一口径）
+        $backValSafe = \App\Support\BackUrl::sanitizeForLinks($backVal);
     @endphp
     @if($backValSafe !== '')
         <input type="hidden" name="back" value="{{ $backValSafe }}">