From 9db8d8ed7fb94a715b562c9df04ee1ed98a218dc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E8=90=9D=E5=8D=9C?= Date: Sat, 14 Mar 2026 01:02:09 +0000 Subject: [PATCH] =?UTF-8?q?=E5=B9=B3=E5=8F=B0=E8=AE=A2=E5=8D=95=E8=AF=A6?= =?UTF-8?q?=E6=83=85=EF=BC=9Aback=20=E9=93=BE=E6=8E=A5=E7=94=A8=E5=8E=9F?= =?UTF-8?q?=E6=A0=B7=E8=BE=93=E5=87=BA=E9=81=BF=E5=85=8D=20&=20?= =?UTF-8?q?=E5=B9=B6=E8=A1=A5=E5=AE=89=E5=85=A8=E6=A0=A1=E9=AA=8C=E4=B8=8E?= =?UTF-8?q?=E6=8A=A4=E6=A0=8F=E6=B5=8B=E8=AF=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../admin/platform_orders/show.blade.php | 5 +- ...latformOrderShowBackLinkNotEscapedTest.php | 71 +++++++++++++++++++ 2 files changed, 74 insertions(+), 2 deletions(-) create mode 100644 tests/Feature/AdminPlatformOrderShowBackLinkNotEscapedTest.php diff --git a/resources/views/admin/platform_orders/show.blade.php b/resources/views/admin/platform_orders/show.blade.php index 76c2706..c8ebf2b 100644 --- a/resources/views/admin/platform_orders/show.blade.php +++ b/resources/views/admin/platform_orders/show.blade.php @@ -633,11 +633,12 @@
@php $back = (string) request()->query('back', ''); - $safeBack = str_starts_with($back, '/') ? $back : ''; + // back 安全校验:只接受相对路径,且拒绝引号/尖括号,避免潜在 XSS(由于下方 href 采用原样输出以避免 & 影响断言) + $safeBack = (str_starts_with($back, '/') && !preg_match('/["\'<>]/', $back)) ? $back : ''; @endphp @if($safeBack) - ← 返回上一页(保留上下文) + ← 返回上一页(保留上下文) @endif diff --git a/tests/Feature/AdminPlatformOrderShowBackLinkNotEscapedTest.php b/tests/Feature/AdminPlatformOrderShowBackLinkNotEscapedTest.php new file mode 100644 index 0000000..7a18200 --- /dev/null +++ b/tests/Feature/AdminPlatformOrderShowBackLinkNotEscapedTest.php @@ -0,0 +1,71 @@ +seed(); + + $this->post('/admin/login', [ + 'email' => 'platform.admin@demo.local', + 'password' => 'Platform@123456', + ])->assertRedirect('/admin'); + } + + public function test_show_page_back_link_should_not_escape_ampersand(): void + { + $this->loginAsPlatformAdmin(); + + $merchant = Merchant::query()->firstOrFail(); + $plan = Plan::query()->create([ + 'code' => 'po_show_back_not_escaped_plan', + 'name' => '订单详情 back 链接不转义测试套餐', + 'billing_cycle' => 'monthly', + 'price' => 10, + 'list_price' => 10, + 'status' => 'active', + 'sort' => 10, + 'published_at' => now(), + ]); + + $order = PlatformOrder::query()->create([ + 'merchant_id' => $merchant->id, + 'plan_id' => $plan->id, + 'order_no' => 'PO_SHOW_BACK_NOT_ESCAPED_0001', + 'order_type' => 'new_purchase', + 'status' => 'pending', + 'payment_status' => 'unpaid', + 'plan_name' => $plan->name, + 'billing_cycle' => $plan->billing_cycle, + 'period_months' => 1, + 'quantity' => 1, + 'payable_amount' => 10, + 'paid_amount' => 0, + 'placed_at' => now(), + 'meta' => [], + ]); + + $back = '/admin/platform-orders?' . Arr::query([ + 'status' => 'pending', + 'payment_status' => 'unpaid', + ]); + + $res = $this->get('/admin/platform-orders/' . $order->id . '?back=' . urlencode($back)); + $res->assertOk(); + + // href 中应包含原始 &,而不是 & + $res->assertSee('href="' . $back . '"', false); + $res->assertDontSee('href="' . str_replace('&', '&', $back) . '"', false); + } +}