平台订单详情:统一safeBackForLinks护栏渲染返回链接(重命名)
This commit is contained in:
萝卜
@@ -760,26 +760,29 @@
|
||||
|
||||
<div class="mb-20 mt-16">
|
||||
@php
|
||||
$back = (string) request()->query('back', '');
|
||||
// back 安全校验:只接受相对路径,且拒绝引号/尖括号,并拒绝 nested back,避免潜在 XSS/URL 膨胀。
|
||||
$incomingBack = (string) request()->query('back', '');
|
||||
// back 安全护栏:
|
||||
// - 仅允许站内相对路径(/ 开头)
|
||||
// - 拒绝引号/尖括号
|
||||
// - 拒绝 nested back=(避免 URL 膨胀/绕过)
|
||||
// 说明:下方 href 采用原样输出以避免 & 影响断言。
|
||||
$safeBack = (str_starts_with($back, '/')
|
||||
&& !preg_match('/["\'<>]/', $back)
|
||||
&& !preg_match('/(?:^|[?&])back=/', $back))
|
||||
? $back
|
||||
$safeBackForLinks = (str_starts_with($incomingBack, '/')
|
||||
&& !preg_match('/["\'<>]/', $incomingBack)
|
||||
&& !preg_match('/(?:^|[?&])back=/', $incomingBack))
|
||||
? $incomingBack
|
||||
: '';
|
||||
|
||||
// 若 back 指向的平台订单列表带 lead_id,则在详情页也提示当前来源线索(更不迷路)。
|
||||
$leadIdFromBack = 0;
|
||||
if ($safeBack !== '') {
|
||||
$parts = parse_url($safeBack);
|
||||
if ($safeBackForLinks !== '') {
|
||||
$parts = parse_url($safeBackForLinks);
|
||||
parse_str((string) ($parts['query'] ?? ''), $q);
|
||||
$leadIdFromBack = (int) ($q['lead_id'] ?? 0);
|
||||
}
|
||||
@endphp
|
||||
|
||||
@if($safeBack)
|
||||
<a href="{!! $safeBack !!}" class="muted">← 返回上一页(保留上下文)</a>
|
||||
@if($safeBackForLinks !== '')
|
||||
<a href="{!! $safeBackForLinks !!}" class="muted">← 返回上一页(保留上下文)</a>
|
||||
@if($leadIdFromBack > 0)
|
||||
<span class="muted">|</span>
|
||||
<span class="badge">来源线索:#{{ $leadIdFromBack }}</span>
|
||||
|
||||
Reference in New Issue
Block a user