fix(back): platform-orders/create back 预清洗 + 表单 hidden back 条件渲染护栏

2026-03-14 01:35:28 +00:00
parent 5e06df9360
commit c4b3769458
3 changed files with 52 additions and 1 deletions
--- a/app/Http/Controllers/Admin/PlatformOrderController.php
+++ b/app/Http/Controllers/Admin/PlatformOrderController.php
@@ -42,6 +42,13 @@ class PlatformOrderController extends Controller
            'back' => (string) $request->query('back', ''),
        ];

+        // back 安全阀：必须为站内相对路径，并拒绝引号/尖括号。
+        // 说明：form 页会把 defaults.back 透传到 hidden input 与返回按钮；因此这里提前清洗，避免 unsafe back 在页面中出现。
+        $incomingBack = (string) ($defaults['back'] ?? '');
+        $defaults['back'] = (str_starts_with($incomingBack, '/') && !preg_match('/["\'<>]/', $incomingBack))
+            ? $incomingBack
+            : '';
+
        $siteSubscription = null;
        $siteSubscriptionId = (int) ($defaults['site_subscription_id'] ?? 0);
        if ($siteSubscriptionId > 0) {