From b5bee7a9c81473120a3c5cac5994414eb5dbd322 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E8=90=9D=E5=8D=9C?= Date: Sat, 14 Mar 2026 16:50:19 +0000 Subject: [PATCH] =?UTF-8?q?=E5=A5=97=E9=A4=90=E5=88=97=E8=A1=A8=EF=BC=9A?= =?UTF-8?q?=E5=A4=8D=E7=94=A8safeBackForLinks=E6=B8=B2=E6=9F=93=E8=BF=94?= =?UTF-8?q?=E5=9B=9E=E9=93=BE=E6=8E=A5=EF=BC=88=E5=8E=BB=E9=87=8D=EF=BC=89?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- resources/views/admin/plans/index.blade.php | 26 ++++++++++----------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/resources/views/admin/plans/index.blade.php b/resources/views/admin/plans/index.blade.php index 30ffa82..446e523 100644 --- a/resources/views/admin/plans/index.blade.php +++ b/resources/views/admin/plans/index.blade.php @@ -25,25 +25,25 @@ return '/admin/platform-orders?' . \Illuminate\Support\Arr::query($query); }; + + // back 安全护栏(全页通用): + // - 仅允许站内相对路径(/ 开头) + // - 拒绝引号/尖括号(由于本页大量 href 采用 `{!! !!}` 原样输出,必须严控注入风险) + // - 拒绝 nested back=(避免 URL 膨胀/绕过) + $incomingBack = (string) request()->query('back', ''); + $safeBackForLinks = (str_starts_with($incomingBack, '/') + && !preg_match('/["\'<>]/', $incomingBack) + && !preg_match('/(?:^|[?&])back=/', $incomingBack)) + ? $incomingBack + : ''; @endphp

这里是总台视角的套餐目录页,用于沉淀平台可售卖的标准能力包。

当前阶段先完成套餐主数据可见、可筛与口径收拢,后续再接授权项、售价规则与上下架动作。

- @php - $incomingBack = (string) request()->query('back', ''); - // 为避免 & 被 Blade escape 成 & 导致回退上下文丢失,这里需要原样输出 href。 - // 安全护栏:必须为站内相对路径,并拒绝引号/尖括号,降低 XSS 风险。 - $safeBack = (str_starts_with($incomingBack, '/') - && !preg_match('/["\'<>]/', $incomingBack) - // back 本身不应再包含 back(避免无限嵌套导致 URL 膨胀) - && !preg_match('/(?:^|[?&])back=/', $incomingBack)) - ? $incomingBack - : ''; - @endphp - @if($safeBack) + @if($safeBackForLinks !== '')
- ← 返回上一页(保留上下文) + ← 返回上一页(保留上下文)
@endif