From a286e19e08ed1f0245a9aba4a3cfece9eda4c338 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E8=90=9D=E5=8D=9C?= <dev@saasshop.local>
Date: Sat, 14 Mar 2026 01:22:53 +0000
Subject: [PATCH] =?UTF-8?q?fix(back):=20=E5=B9=B3=E5=8F=B0=E8=AE=A2?=
 =?UTF-8?q?=E5=8D=95=20store=20=E9=80=8F=E4=BC=A0=20back=20=E5=A2=9E?=
 =?UTF-8?q?=E5=BC=BA=E6=A0=A1=E9=AA=8C=EF=BC=88=E6=8B=92=E7=BB=9D=E5=BC=95?=
 =?UTF-8?q?=E5=8F=B7/=E5=B0=96=E6=8B=AC=E5=8F=B7=EF=BC=89?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 app/Http/Controllers/Admin/PlatformOrderController.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/app/Http/Controllers/Admin/PlatformOrderController.php b/app/Http/Controllers/Admin/PlatformOrderController.php
index a218364..68c0a1c 100644
--- a/app/Http/Controllers/Admin/PlatformOrderController.php
+++ b/app/Http/Controllers/Admin/PlatformOrderController.php
@@ -126,7 +126,8 @@ class PlatformOrderController extends Controller
         ]);
 
         $back = (string) ($data['back'] ?? '');
-        $safeBack = str_starts_with($back, '/') ? $back : '';
+        // back 需为站内相对路径，并拒绝引号/尖括号，避免在后续页面以 `{!! !!}` 原样输出时引入 XSS 风险。
+        $safeBack = (str_starts_with($back, '/') && !preg_match('/["\'<>]/', $back)) ? $back : '';
 
         $redirectUrl = '/admin/platform-orders/' . $order->id;
         if ($safeBack !== '') {