BackUrl::sanitizeForLinks 增加长度安全阀（>2000 拒绝）并补单测

app/Support/BackUrl.php

@@ -18,6 +18,12 @@ class BackUrl
             return '';
         }
 
+        // 长度安全阀：避免超长 back 造成 header/url 过大、日志污染或潜在 DoS
+        // 与表单侧 max:2000 的校验口径对齐。
+        if (strlen($incomingBack) > 2000) {
+            return '';
+        }
+
         if (!str_starts_with($incomingBack, '/')) {
             return '';
         }

tests/Unit/BackUrlSanitizeForLinksTest.php

@@ -12,6 +12,12 @@ class BackUrlSanitizeForLinksTest extends TestCase
         $this->assertSame('/admin/platform-orders', BackUrl::sanitizeForLinks('/admin/platform-orders'));
     }
 
+    public function test_sanitize_for_links_should_reject_too_long_back(): void
+    {
+        $long = '/admin/x?' . str_repeat('a', 5000);
+        $this->assertSame('', BackUrl::sanitizeForLinks($long));
+    }
+
     public function test_sanitize_for_links_should_reject_absolute_urls(): void
     {
         $this->assertSame('', BackUrl::sanitizeForLinks('https://evil.com/a'));