平台订单详情:back 链接用原样输出避免 & 并补安全校验与护栏测试
This commit is contained in:
萝卜
@@ -633,11 +633,12 @@
|
||||
<div class="mb-20" style="margin-top:16px;">
|
||||
@php
|
||||
$back = (string) request()->query('back', '');
|
||||
$safeBack = str_starts_with($back, '/') ? $back : '';
|
||||
// back 安全校验:只接受相对路径,且拒绝引号/尖括号,避免潜在 XSS(由于下方 href 采用原样输出以避免 & 影响断言)
|
||||
$safeBack = (str_starts_with($back, '/') && !preg_match('/["\'<>]/', $back)) ? $back : '';
|
||||
@endphp
|
||||
|
||||
@if($safeBack)
|
||||
<a href="{{ $safeBack }}" class="muted">← 返回上一页(保留上下文)</a>
|
||||
<a href="{!! $safeBack !!}" class="muted">← 返回上一页(保留上下文)</a>
|
||||
<span class="muted">|</span>
|
||||
@endif
|
||||
|
||||
|
||||
@@ -0,0 +1,71 @@
|
||||
<?php
|
||||
|
||||
namespace Tests\Feature;
|
||||
|
||||
use App\Models\Merchant;
|
||||
use App\Models\Plan;
|
||||
use App\Models\PlatformOrder;
|
||||
use Illuminate\Foundation\Testing\RefreshDatabase;
|
||||
use Illuminate\Support\Arr;
|
||||
use Tests\TestCase;
|
||||
|
||||
class AdminPlatformOrderShowBackLinkNotEscapedTest extends TestCase
|
||||
{
|
||||
use RefreshDatabase;
|
||||
|
||||
protected function loginAsPlatformAdmin(): void
|
||||
{
|
||||
$this->seed();
|
||||
|
||||
$this->post('/admin/login', [
|
||||
'email' => 'platform.admin@demo.local',
|
||||
'password' => 'Platform@123456',
|
||||
])->assertRedirect('/admin');
|
||||
}
|
||||
|
||||
public function test_show_page_back_link_should_not_escape_ampersand(): void
|
||||
{
|
||||
$this->loginAsPlatformAdmin();
|
||||
|
||||
$merchant = Merchant::query()->firstOrFail();
|
||||
$plan = Plan::query()->create([
|
||||
'code' => 'po_show_back_not_escaped_plan',
|
||||
'name' => '订单详情 back 链接不转义测试套餐',
|
||||
'billing_cycle' => 'monthly',
|
||||
'price' => 10,
|
||||
'list_price' => 10,
|
||||
'status' => 'active',
|
||||
'sort' => 10,
|
||||
'published_at' => now(),
|
||||
]);
|
||||
|
||||
$order = PlatformOrder::query()->create([
|
||||
'merchant_id' => $merchant->id,
|
||||
'plan_id' => $plan->id,
|
||||
'order_no' => 'PO_SHOW_BACK_NOT_ESCAPED_0001',
|
||||
'order_type' => 'new_purchase',
|
||||
'status' => 'pending',
|
||||
'payment_status' => 'unpaid',
|
||||
'plan_name' => $plan->name,
|
||||
'billing_cycle' => $plan->billing_cycle,
|
||||
'period_months' => 1,
|
||||
'quantity' => 1,
|
||||
'payable_amount' => 10,
|
||||
'paid_amount' => 0,
|
||||
'placed_at' => now(),
|
||||
'meta' => [],
|
||||
]);
|
||||
|
||||
$back = '/admin/platform-orders?' . Arr::query([
|
||||
'status' => 'pending',
|
||||
'payment_status' => 'unpaid',
|
||||
]);
|
||||
|
||||
$res = $this->get('/admin/platform-orders/' . $order->id . '?back=' . urlencode($back));
|
||||
$res->assertOk();
|
||||
|
||||
// href 中应包含原始 &,而不是 &
|
||||
$res->assertSee('href="' . $back . '"', false);
|
||||
$res->assertDontSee('href="' . str_replace('&', '&', $back) . '"', false);
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user