fix(back): platform-orders/create back 预清洗 + 表单 hidden back 条件渲染护栏

2026-03-14 01:35:28 +00:00
parent 5e06df9360
commit c4b3769458
3 changed files with 52 additions and 1 deletions
--- a/app/Http/Controllers/Admin/PlatformOrderController.php
+++ b/app/Http/Controllers/Admin/PlatformOrderController.php
@@ -42,6 +42,13 @@ class PlatformOrderController extends Controller
            'back' => (string) $request->query('back', ''),
        ];

+        // back 安全阀：必须为站内相对路径，并拒绝引号/尖括号。
+        // 说明：form 页会把 defaults.back 透传到 hidden input 与返回按钮；因此这里提前清洗，避免 unsafe back 在页面中出现。
+        $incomingBack = (string) ($defaults['back'] ?? '');
+        $defaults['back'] = (str_starts_with($incomingBack, '/') && !preg_match('/["\'<>]/', $incomingBack))
+            ? $incomingBack
+            : '';
+
        $siteSubscription = null;
        $siteSubscriptionId = (int) ($defaults['site_subscription_id'] ?? 0);
        if ($siteSubscriptionId > 0) {
--- a/resources/views/admin/platform_orders/form.blade.php
+++ b/resources/views/admin/platform_orders/form.blade.php
@@ -29,7 +29,13 @@
    @csrf

    <input type="hidden" name="site_subscription_id" value="{{ old('site_subscription_id', $defaults['site_subscription_id'] ?? '') }}">
-    <input type="hidden" name="back" value="{{ old('back', $defaults['back'] ?? '') }}">
+
+    @php
+        $backVal = (string) old('back', $defaults['back'] ?? '');
+    @endphp
+    @if($backVal !== '')
+        <input type="hidden" name="back" value="{{ $backVal }}">
+    @endif

    <label>
        <span>站点</span>
--- a/tests/Feature/AdminPlatformOrderCreateBackValidationTest.php
+++ b/tests/Feature/AdminPlatformOrderCreateBackValidationTest.php
@@ -0,0 +1,38 @@
+<?php
+
+namespace Tests\Feature;
+
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Tests\TestCase;
+
+class AdminPlatformOrderCreateBackValidationTest extends TestCase
+{
+    use RefreshDatabase;
+
+    protected function loginAsPlatformAdmin(): void
+    {
+        $this->seed();
+
+        $this->post('/admin/login', [
+            'email' => 'platform.admin@demo.local',
+            'password' => 'Platform@123456',
+        ])->assertRedirect('/admin');
+    }
+
+    public function test_create_should_not_echo_back_hidden_input_when_back_contains_quotes_or_brackets(): void
+    {
+        $this->loginAsPlatformAdmin();
+
+        $unsafeBack = '/admin/site-subscriptions?keyword="x"&a=<b>';
+
+        $res = $this->get('/admin/platform-orders/create?back=' . urlencode($unsafeBack));
+        $res->assertOk();
+
+        // back 被清洗为空：不应回显 hidden back input，也不应出现 unsafeBack
+        $res->assertDontSee('name="back"', false);
+        $res->assertDontSee($unsafeBack, false);
+
+        // 返回按钮应回退到默认列表
+        $res->assertSee('href="/admin/platform-orders"', false);
+    }
+}