From bfcd5a727f9f702678e6e2a40a538ee2efcbe8a8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E8=90=9D=E5=8D=9C?= <dev@saasshop.local>
Date: Sat, 14 Mar 2026 11:25:02 +0000
Subject: [PATCH] platform_orders index: rollback tools layout wrapper; quick
 filters use safe back

---
 .../admin/platform_orders/index.blade.php     | 36 ++++-----
 ...xUnsafeBackShouldBeDroppedForLinksTest.php | 74 +++++++++++++++++++
 2 files changed, 87 insertions(+), 23 deletions(-)
 create mode 100644 tests/Feature/AdminPlatformOrderIndexUnsafeBackShouldBeDroppedForLinksTest.php

diff --git a/resources/views/admin/platform_orders/index.blade.php b/resources/views/admin/platform_orders/index.blade.php
index 25769cf..c80e77f 100644
--- a/resources/views/admin/platform_orders/index.blade.php
+++ b/resources/views/admin/platform_orders/index.blade.php
@@ -150,18 +150,18 @@
 
     @php
         // 快捷筛选：尽量保留当前筛选（站点/套餐/订阅ID/back 等），仅覆盖目标筛选字段，并清空 page。
-        $buildQuickFilterUrl = function (array $overrides) {
+        $buildQuickFilterUrl = function (array $overrides) use ($safeBackForLinks) {
             $path = '/' . ltrim(request()->path(), '/');
 
             // 快捷筛选的设计原则：
-            // - 保留“上下文”字段（站点/套餐/订阅/back/关键词）
+            // - 保留“上下文”字段（站点/套餐/订阅/关键词/back）
+            // - 但：back 必须走全页统一安全护栏（避免把 unsafe back 透传到链接里）
             // - 清理其它可能互斥/叠加导致空结果的筛选字段（例如 syncable_only/reconcile_mismatch 等）
             // - 并且强制清空 page，避免落到空页
             $contextKeys = [
                 'merchant_id' => 1,
                 'plan_id' => 1,
                 'site_subscription_id' => 1,
-                'back' => 1,
                 'keyword' => 1,
                 // 线索联动：从开通线索跳转来的上下文应保留（避免快捷筛选跳走后丢上下文）
                 'lead_id' => 1,
@@ -169,6 +169,12 @@
 
             $q = array_intersect_key(request()->query(), $contextKeys);
 
+            if ($safeBackForLinks !== '') {
+                $q['back'] = $safeBackForLinks;
+            } else {
+                unset($q['back']);
+            }
+
             foreach ($overrides as $k => $v) {
                 if ($v === null) {
                     unset($q[$k]);
@@ -185,16 +191,10 @@
         };
 
         // “全部”：清空筛选，但保留 back（用于返回来源页）
-        $incomingBack = (string) request()->query('back', '');
-        $safeBack = (str_starts_with($incomingBack, '/')
-            && !preg_match('/["\'<>]/', $incomingBack)
-            // back 本身不应再包含 back（避免无限嵌套导致 URL 膨胀）
-            && !preg_match('/(?:^|[?&])back=/', $incomingBack))
-            ? $incomingBack
-            : '';
+        // “全部”：清空筛选，但保留安全 back（用于返回来源页）
         $allUrl = '/admin/platform-orders';
-        if ($safeBack !== '') {
-            $allUrl .= '?' . \Illuminate\Support\Arr::query(['back' => $safeBack]);
+        if ($safeBackForLinks !== '') {
+            $allUrl .= '?' . \Illuminate\Support\Arr::query(['back' => $safeBackForLinks]);
         }
     @endphp
 
@@ -436,7 +436,7 @@
             </ol>
         </div>
         <div class="muted governance-block-footnote">说明：本页“批量同步/批量生效/清理失败标记”等工具动作会透传当前筛选条件；建议先缩小到明确集合再操作。</div>
-        <div class="muted governance-block-footnote">提示：如果你是从其它页面（例如订阅详情/套餐页）通过 back 进入本页，建议优先用上方「← 返回上一页（保留上下文）」回到来源页，再继续操作。</div>
+        <div class="muted governance-block-footnote">提示：如果你是从其它页面（例如订阅详情/套餐页）通过 back 进入本页，建议优先用上方的「返回上一页」入口回到来源页，再继续操作。</div>
     </div>
 
     <div class="card">
@@ -552,14 +552,6 @@
     <h3>工具</h3>
     <div class="muted mb-10">清除仅影响订单 meta 中的失败标记，不改变订单/订阅状态。</div>
 
-    @php
-        // 工具区布局：采用与“筛选条件”类似的排版（两列），避免所有内容挤到左侧。
-        // 说明：仅做结构包裹，不改动原表单字段/行为。
-        $toolForms = [];
-    @endphp
-
-    <div class="grid-2">
-
     @php
         $hasReconcileMismatchFilter = (($filters['reconcile_mismatch'] ?? '') === '1');
         $hasRefundInconsistentFilter = (($filters['refund_inconsistent'] ?? '') === '1');
@@ -942,8 +934,6 @@
             <button class="btn btn-danger btn-sm" type="submit">清除批量标记支付失败标记（全部订单）</button>
         </div>
     </form>
-
-    </div>
 </div>
 
 <div class="card">
diff --git a/tests/Feature/AdminPlatformOrderIndexUnsafeBackShouldBeDroppedForLinksTest.php b/tests/Feature/AdminPlatformOrderIndexUnsafeBackShouldBeDroppedForLinksTest.php
new file mode 100644
index 0000000..5ff72ac
--- /dev/null
+++ b/tests/Feature/AdminPlatformOrderIndexUnsafeBackShouldBeDroppedForLinksTest.php
@@ -0,0 +1,74 @@
+<?php
+
+namespace Tests\Feature;
+
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Tests\TestCase;
+
+class AdminPlatformOrderIndexUnsafeBackShouldBeDroppedForLinksTest extends TestCase
+{
+    use RefreshDatabase;
+
+    protected function loginAsPlatformAdmin(): void
+    {
+        $this->seed();
+
+        $this->post('/admin/login', [
+            'email' => 'platform.admin@demo.local',
+            'password' => 'Platform@123456',
+        ])->assertRedirect('/admin');
+    }
+
+    public static function invalidBackProvider(): array
+    {
+        return [
+            'contains_quote' => ['/admin/plans?x="'],
+            'contains_tag' => ['/admin/plans?<script>alert(1)</script>'],
+            'nested_back' => ['/admin/plans?back=/admin/platform-orders'],
+        ];
+    }
+
+    /**
+     * @dataProvider invalidBackProvider
+     */
+    public function test_index_should_drop_unsafe_back_for_safe_full_url_with_query_links(string $invalidBack): void
+    {
+        $this->loginAsPlatformAdmin();
+
+        $res = $this->get('/admin/platform-orders?back=' . urlencode($invalidBack));
+        $res->assertOk();
+
+        $html = (string) $res->getContent();
+
+        // unsafe back 时，不应渲染“返回上一页（保留上下文）”的可点击链接。
+        // 注意：页面的说明文字中可能包含该文案，因此这里用正则只匹配 <a> 标签。
+        $this->assertSame(
+            0,
+            preg_match('/<a[^>]+href="[^"]+"[^>]*>\s*← 返回上一页（保留上下文）\s*<\/a>/', $html),
+            'unsafe back 时不应渲染可点击的返回链接'
+        );
+
+        preg_match_all('/href="([^"]+)"/', $html, $matches);
+        $hrefs = $matches[1] ?? [];
+
+        $found = false;
+        foreach ($hrefs as $u) {
+            if (!str_contains($u, '/admin/platform-orders')) {
+                continue;
+            }
+
+            $parts = parse_url($u);
+            parse_str($parts['query'] ?? '', $q);
+
+            if (($q['payment_status'] ?? null) !== 'paid') {
+                continue;
+            }
+
+            $found = true;
+            $this->assertArrayNotHasKey('back', $q, 'unsafe back 不应出现在 fullUrlWithQuery 类链接中');
+            break;
+        }
+
+        $this->assertTrue($found, '未找到 payment_status=paid 的链接用于断言 back 是否被移除');
+    }
+}