From cd615e654bcb1d45317c486ab42a356edddf39f6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E8=90=9D=E5=8D=9C?= Date: Sat, 14 Mar 2026 17:01:37 +0000 Subject: [PATCH] =?UTF-8?q?=E5=B9=B3=E5=8F=B0=E8=AE=A2=E5=8D=95=E8=AF=A6?= =?UTF-8?q?=E6=83=85=EF=BC=9A=E7=BB=9F=E4=B8=80safeBackForLinks=E6=8A=A4?= =?UTF-8?q?=E6=A0=8F=E6=B8=B2=E6=9F=93=E8=BF=94=E5=9B=9E=E9=93=BE=E6=8E=A5?= =?UTF-8?q?=EF=BC=88=E9=87=8D=E5=91=BD=E5=90=8D=EF=BC=89?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../admin/platform_orders/show.blade.php | 23 +++++++++++-------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/resources/views/admin/platform_orders/show.blade.php b/resources/views/admin/platform_orders/show.blade.php index 18935e4..f7ad33b 100644 --- a/resources/views/admin/platform_orders/show.blade.php +++ b/resources/views/admin/platform_orders/show.blade.php @@ -760,26 +760,29 @@
@php - $back = (string) request()->query('back', ''); - // back 安全校验:只接受相对路径,且拒绝引号/尖括号,并拒绝 nested back,避免潜在 XSS/URL 膨胀。 + $incomingBack = (string) request()->query('back', ''); + // back 安全护栏: + // - 仅允许站内相对路径(/ 开头) + // - 拒绝引号/尖括号 + // - 拒绝 nested back=(避免 URL 膨胀/绕过) // 说明:下方 href 采用原样输出以避免 & 影响断言。 - $safeBack = (str_starts_with($back, '/') - && !preg_match('/["\'<>]/', $back) - && !preg_match('/(?:^|[?&])back=/', $back)) - ? $back + $safeBackForLinks = (str_starts_with($incomingBack, '/') + && !preg_match('/["\'<>]/', $incomingBack) + && !preg_match('/(?:^|[?&])back=/', $incomingBack)) + ? $incomingBack : ''; // 若 back 指向的平台订单列表带 lead_id,则在详情页也提示当前来源线索(更不迷路)。 $leadIdFromBack = 0; - if ($safeBack !== '') { - $parts = parse_url($safeBack); + if ($safeBackForLinks !== '') { + $parts = parse_url($safeBackForLinks); parse_str((string) ($parts['query'] ?? ''), $q); $leadIdFromBack = (int) ($q['lead_id'] ?? 0); } @endphp - @if($safeBack) - ← 返回上一页(保留上下文) + @if($safeBackForLinks !== '') + ← 返回上一页(保留上下文) @if($leadIdFromBack > 0) 来源线索:#{{ $leadIdFromBack }}