平台订单详情:back 链接用原样输出避免 & 并补安全校验与护栏测试
This commit is contained in:
萝卜
@@ -633,11 +633,12 @@
|
|||||||
<div class="mb-20" style="margin-top:16px;">
|
<div class="mb-20" style="margin-top:16px;">
|
||||||
@php
|
@php
|
||||||
$back = (string) request()->query('back', '');
|
$back = (string) request()->query('back', '');
|
||||||
$safeBack = str_starts_with($back, '/') ? $back : '';
|
// back 安全校验:只接受相对路径,且拒绝引号/尖括号,避免潜在 XSS(由于下方 href 采用原样输出以避免 & 影响断言)
|
||||||
|
$safeBack = (str_starts_with($back, '/') && !preg_match('/["\'<>]/', $back)) ? $back : '';
|
||||||
@endphp
|
@endphp
|
||||||
|
|
||||||
@if($safeBack)
|
@if($safeBack)
|
||||||
<a href="{{ $safeBack }}" class="muted">← 返回上一页(保留上下文)</a>
|
<a href="{!! $safeBack !!}" class="muted">← 返回上一页(保留上下文)</a>
|
||||||
<span class="muted">|</span>
|
<span class="muted">|</span>
|
||||||
@endif
|
@endif
|
||||||
|
|
||||||
|
|||||||
@@ -0,0 +1,71 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
namespace Tests\Feature;
|
||||||
|
|
||||||
|
use App\Models\Merchant;
|
||||||
|
use App\Models\Plan;
|
||||||
|
use App\Models\PlatformOrder;
|
||||||
|
use Illuminate\Foundation\Testing\RefreshDatabase;
|
||||||
|
use Illuminate\Support\Arr;
|
||||||
|
use Tests\TestCase;
|
||||||
|
|
||||||
|
class AdminPlatformOrderShowBackLinkNotEscapedTest extends TestCase
|
||||||
|
{
|
||||||
|
use RefreshDatabase;
|
||||||
|
|
||||||
|
protected function loginAsPlatformAdmin(): void
|
||||||
|
{
|
||||||
|
$this->seed();
|
||||||
|
|
||||||
|
$this->post('/admin/login', [
|
||||||
|
'email' => 'platform.admin@demo.local',
|
||||||
|
'password' => 'Platform@123456',
|
||||||
|
])->assertRedirect('/admin');
|
||||||
|
}
|
||||||
|
|
||||||
|
public function test_show_page_back_link_should_not_escape_ampersand(): void
|
||||||
|
{
|
||||||
|
$this->loginAsPlatformAdmin();
|
||||||
|
|
||||||
|
$merchant = Merchant::query()->firstOrFail();
|
||||||
|
$plan = Plan::query()->create([
|
||||||
|
'code' => 'po_show_back_not_escaped_plan',
|
||||||
|
'name' => '订单详情 back 链接不转义测试套餐',
|
||||||
|
'billing_cycle' => 'monthly',
|
||||||
|
'price' => 10,
|
||||||
|
'list_price' => 10,
|
||||||
|
'status' => 'active',
|
||||||
|
'sort' => 10,
|
||||||
|
'published_at' => now(),
|
||||||
|
]);
|
||||||
|
|
||||||
|
$order = PlatformOrder::query()->create([
|
||||||
|
'merchant_id' => $merchant->id,
|
||||||
|
'plan_id' => $plan->id,
|
||||||
|
'order_no' => 'PO_SHOW_BACK_NOT_ESCAPED_0001',
|
||||||
|
'order_type' => 'new_purchase',
|
||||||
|
'status' => 'pending',
|
||||||
|
'payment_status' => 'unpaid',
|
||||||
|
'plan_name' => $plan->name,
|
||||||
|
'billing_cycle' => $plan->billing_cycle,
|
||||||
|
'period_months' => 1,
|
||||||
|
'quantity' => 1,
|
||||||
|
'payable_amount' => 10,
|
||||||
|
'paid_amount' => 0,
|
||||||
|
'placed_at' => now(),
|
||||||
|
'meta' => [],
|
||||||
|
]);
|
||||||
|
|
||||||
|
$back = '/admin/platform-orders?' . Arr::query([
|
||||||
|
'status' => 'pending',
|
||||||
|
'payment_status' => 'unpaid',
|
||||||
|
]);
|
||||||
|
|
||||||
|
$res = $this->get('/admin/platform-orders/' . $order->id . '?back=' . urlencode($back));
|
||||||
|
$res->assertOk();
|
||||||
|
|
||||||
|
// href 中应包含原始 &,而不是 &
|
||||||
|
$res->assertSee('href="' . $back . '"', false);
|
||||||
|
$res->assertDontSee('href="' . str_replace('&', '&', $back) . '"', false);
|
||||||
|
}
|
||||||
|
}
|
||||||
Reference in New Issue
Block a user