From c2b213af9c9385588c86b3444400b5aae02a7906 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E8=90=9D=E5=8D=9C?= Date: Sat, 14 Mar 2026 01:05:29 +0000 Subject: [PATCH] =?UTF-8?q?=E8=AE=A2=E9=98=85=E8=AF=A6=E6=83=85=EF=BC=9Aba?= =?UTF-8?q?ck=20=E9=93=BE=E6=8E=A5=E5=8E=9F=E6=A0=B7=E8=BE=93=E5=87=BA?= =?UTF-8?q?=E9=81=BF=E5=85=8D=20&=20=E5=B9=B6=E8=A1=A5=E5=AE=89?= =?UTF-8?q?=E5=85=A8=E6=A0=A1=E9=AA=8C=E4=B8=8E=E6=8A=A4=E6=A0=8F=E6=B5=8B?= =?UTF-8?q?=E8=AF=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../admin/site_subscriptions/show.blade.php | 5 +- ...SubscriptionShowBackLinkNotEscapedTest.php | 68 +++++++++++++++++++ 2 files changed, 71 insertions(+), 2 deletions(-) create mode 100644 tests/Feature/AdminSiteSubscriptionShowBackLinkNotEscapedTest.php diff --git a/resources/views/admin/site_subscriptions/show.blade.php b/resources/views/admin/site_subscriptions/show.blade.php index 7544a79..03774a4 100644 --- a/resources/views/admin/site_subscriptions/show.blade.php +++ b/resources/views/admin/site_subscriptions/show.blade.php @@ -120,11 +120,12 @@
@php $back = (string) request()->query('back', ''); - $safeBack = str_starts_with($back, '/') ? $back : ''; + // back 安全校验:只接受相对路径,且拒绝引号/尖括号(由于下方 href 采用原样输出以避免 & 影响回链/断言) + $safeBack = (str_starts_with($back, '/') && !preg_match('/["\'<>]/', $back)) ? $back : ''; @endphp @if($safeBack) - ← 返回上一页(保留上下文) + ← 返回上一页(保留上下文) @endif diff --git a/tests/Feature/AdminSiteSubscriptionShowBackLinkNotEscapedTest.php b/tests/Feature/AdminSiteSubscriptionShowBackLinkNotEscapedTest.php new file mode 100644 index 0000000..56df1ca --- /dev/null +++ b/tests/Feature/AdminSiteSubscriptionShowBackLinkNotEscapedTest.php @@ -0,0 +1,68 @@ +seed(); + + $this->post('/admin/login', [ + 'email' => 'platform.admin@demo.local', + 'password' => 'Platform@123456', + ])->assertRedirect('/admin'); + } + + public function test_show_page_back_link_should_not_escape_ampersand(): void + { + $this->loginAsPlatformAdmin(); + + $merchant = Merchant::query()->firstOrFail(); + $plan = Plan::query()->create([ + 'code' => 'sub_show_back_not_escaped_plan', + 'name' => '订阅详情 back 链接不转义测试套餐', + 'billing_cycle' => 'monthly', + 'price' => 10, + 'list_price' => 10, + 'status' => 'active', + 'sort' => 10, + 'published_at' => now(), + ]); + + $sub = SiteSubscription::query()->create([ + 'merchant_id' => $merchant->id, + 'plan_id' => $plan->id, + 'status' => 'active', + 'source' => 'manual', + 'subscription_no' => 'SUB_SHOW_BACK_NOT_ESCAPED_0001', + 'plan_name' => $plan->name, + 'billing_cycle' => $plan->billing_cycle, + 'period_months' => 1, + 'amount' => 10, + 'starts_at' => now(), + 'ends_at' => now()->addMonth(), + ]); + + $back = '/admin/site-subscriptions?' . Arr::query([ + 'status' => 'active', + 'merchant_id' => 2, + ]); + + $res = $this->get('/admin/site-subscriptions/' . $sub->id . '?back=' . urlencode($back)); + $res->assertOk(); + + // href 中应包含原始 &,而不是 & + $res->assertSee('href="' . $back . '"', false); + $res->assertDontSee('href="' . str_replace('&', '&', $back) . '"', false); + } +}