From c4b3769458ffc4360a7c0cc98eb0c9a7544bfcf3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E8=90=9D=E5=8D=9C?= <dev@saasshop.local>
Date: Sat, 14 Mar 2026 01:35:28 +0000
Subject: [PATCH] =?UTF-8?q?fix(back):=20platform-orders/create=20back=20?=
 =?UTF-8?q?=E9=A2=84=E6=B8=85=E6=B4=97=20+=20=E8=A1=A8=E5=8D=95=20hidden?=
 =?UTF-8?q?=20back=20=E6=9D=A1=E4=BB=B6=E6=B8=B2=E6=9F=93=E6=8A=A4?=
 =?UTF-8?q?=E6=A0=8F?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../Admin/PlatformOrderController.php         |  7 ++++
 .../admin/platform_orders/form.blade.php      |  8 +++-
 ...nPlatformOrderCreateBackValidationTest.php | 38 +++++++++++++++++++
 3 files changed, 52 insertions(+), 1 deletion(-)
 create mode 100644 tests/Feature/AdminPlatformOrderCreateBackValidationTest.php

diff --git a/app/Http/Controllers/Admin/PlatformOrderController.php b/app/Http/Controllers/Admin/PlatformOrderController.php
index 68c0a1c..4e11942 100644
--- a/app/Http/Controllers/Admin/PlatformOrderController.php
+++ b/app/Http/Controllers/Admin/PlatformOrderController.php
@@ -42,6 +42,13 @@ class PlatformOrderController extends Controller
             'back' => (string) $request->query('back', ''),
         ];
 
+        // back 安全阀：必须为站内相对路径，并拒绝引号/尖括号。
+        // 说明：form 页会把 defaults.back 透传到 hidden input 与返回按钮；因此这里提前清洗，避免 unsafe back 在页面中出现。
+        $incomingBack = (string) ($defaults['back'] ?? '');
+        $defaults['back'] = (str_starts_with($incomingBack, '/') && !preg_match('/["\'<>]/', $incomingBack))
+            ? $incomingBack
+            : '';
+
         $siteSubscription = null;
         $siteSubscriptionId = (int) ($defaults['site_subscription_id'] ?? 0);
         if ($siteSubscriptionId > 0) {
diff --git a/resources/views/admin/platform_orders/form.blade.php b/resources/views/admin/platform_orders/form.blade.php
index 636ccbb..c97b8a6 100644
--- a/resources/views/admin/platform_orders/form.blade.php
+++ b/resources/views/admin/platform_orders/form.blade.php
@@ -29,7 +29,13 @@
     @csrf
 
     <input type="hidden" name="site_subscription_id" value="{{ old('site_subscription_id', $defaults['site_subscription_id'] ?? '') }}">
-    <input type="hidden" name="back" value="{{ old('back', $defaults['back'] ?? '') }}">
+
+    @php
+        $backVal = (string) old('back', $defaults['back'] ?? '');
+    @endphp
+    @if($backVal !== '')
+        <input type="hidden" name="back" value="{{ $backVal }}">
+    @endif
 
     <label>
         <span>站点</span>
diff --git a/tests/Feature/AdminPlatformOrderCreateBackValidationTest.php b/tests/Feature/AdminPlatformOrderCreateBackValidationTest.php
new file mode 100644
index 0000000..c331288
--- /dev/null
+++ b/tests/Feature/AdminPlatformOrderCreateBackValidationTest.php
@@ -0,0 +1,38 @@
+<?php
+
+namespace Tests\Feature;
+
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Tests\TestCase;
+
+class AdminPlatformOrderCreateBackValidationTest extends TestCase
+{
+    use RefreshDatabase;
+
+    protected function loginAsPlatformAdmin(): void
+    {
+        $this->seed();
+
+        $this->post('/admin/login', [
+            'email' => 'platform.admin@demo.local',
+            'password' => 'Platform@123456',
+        ])->assertRedirect('/admin');
+    }
+
+    public function test_create_should_not_echo_back_hidden_input_when_back_contains_quotes_or_brackets(): void
+    {
+        $this->loginAsPlatformAdmin();
+
+        $unsafeBack = '/admin/site-subscriptions?keyword="x"&a=<b>';
+
+        $res = $this->get('/admin/platform-orders/create?back=' . urlencode($unsafeBack));
+        $res->assertOk();
+
+        // back 被清洗为空：不应回显 hidden back input，也不应出现 unsafeBack
+        $res->assertDontSee('name="back"', false);
+        $res->assertDontSee($unsafeBack, false);
+
+        // 返回按钮应回退到默认列表
+        $res->assertSee('href="/admin/platform-orders"', false);
+    }
+}