订阅详情:back 链接原样输出避免 & 并补安全校验与护栏测试
This commit is contained in:
萝卜
@@ -120,11 +120,12 @@
|
||||
<div class="mt-10">
|
||||
@php
|
||||
$back = (string) request()->query('back', '');
|
||||
$safeBack = str_starts_with($back, '/') ? $back : '';
|
||||
// back 安全校验:只接受相对路径,且拒绝引号/尖括号(由于下方 href 采用原样输出以避免 & 影响回链/断言)
|
||||
$safeBack = (str_starts_with($back, '/') && !preg_match('/["\'<>]/', $back)) ? $back : '';
|
||||
@endphp
|
||||
|
||||
@if($safeBack)
|
||||
<a href="{{ $safeBack }}" class="muted">← 返回上一页(保留上下文)</a>
|
||||
<a href="{!! $safeBack !!}" class="muted">← 返回上一页(保留上下文)</a>
|
||||
<span class="muted">|</span>
|
||||
@endif
|
||||
|
||||
|
||||
@@ -0,0 +1,68 @@
|
||||
<?php
|
||||
|
||||
namespace Tests\Feature;
|
||||
|
||||
use App\Models\Merchant;
|
||||
use App\Models\Plan;
|
||||
use App\Models\SiteSubscription;
|
||||
use Illuminate\Foundation\Testing\RefreshDatabase;
|
||||
use Illuminate\Support\Arr;
|
||||
use Tests\TestCase;
|
||||
|
||||
class AdminSiteSubscriptionShowBackLinkNotEscapedTest extends TestCase
|
||||
{
|
||||
use RefreshDatabase;
|
||||
|
||||
protected function loginAsPlatformAdmin(): void
|
||||
{
|
||||
$this->seed();
|
||||
|
||||
$this->post('/admin/login', [
|
||||
'email' => 'platform.admin@demo.local',
|
||||
'password' => 'Platform@123456',
|
||||
])->assertRedirect('/admin');
|
||||
}
|
||||
|
||||
public function test_show_page_back_link_should_not_escape_ampersand(): void
|
||||
{
|
||||
$this->loginAsPlatformAdmin();
|
||||
|
||||
$merchant = Merchant::query()->firstOrFail();
|
||||
$plan = Plan::query()->create([
|
||||
'code' => 'sub_show_back_not_escaped_plan',
|
||||
'name' => '订阅详情 back 链接不转义测试套餐',
|
||||
'billing_cycle' => 'monthly',
|
||||
'price' => 10,
|
||||
'list_price' => 10,
|
||||
'status' => 'active',
|
||||
'sort' => 10,
|
||||
'published_at' => now(),
|
||||
]);
|
||||
|
||||
$sub = SiteSubscription::query()->create([
|
||||
'merchant_id' => $merchant->id,
|
||||
'plan_id' => $plan->id,
|
||||
'status' => 'active',
|
||||
'source' => 'manual',
|
||||
'subscription_no' => 'SUB_SHOW_BACK_NOT_ESCAPED_0001',
|
||||
'plan_name' => $plan->name,
|
||||
'billing_cycle' => $plan->billing_cycle,
|
||||
'period_months' => 1,
|
||||
'amount' => 10,
|
||||
'starts_at' => now(),
|
||||
'ends_at' => now()->addMonth(),
|
||||
]);
|
||||
|
||||
$back = '/admin/site-subscriptions?' . Arr::query([
|
||||
'status' => 'active',
|
||||
'merchant_id' => 2,
|
||||
]);
|
||||
|
||||
$res = $this->get('/admin/site-subscriptions/' . $sub->id . '?back=' . urlencode($back));
|
||||
$res->assertOk();
|
||||
|
||||
// href 中应包含原始 &,而不是 &
|
||||
$res->assertSee('href="' . $back . '"', false);
|
||||
$res->assertDontSee('href="' . str_replace('&', '&', $back) . '"', false);
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user