From de689a97d00ddec3b089a19cac3d0e1049da6fa1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E8=90=9D=E5=8D=9C?= Date: Sat, 14 Mar 2026 17:12:32 +0000 Subject: [PATCH] =?UTF-8?q?=E5=B9=B3=E5=8F=B0=E8=AE=A2=E5=8D=95=E8=A1=A8?= =?UTF-8?q?=E5=8D=95=EF=BC=9A=E7=BB=9F=E4=B8=80safeBackForLinks=E6=8A=A4?= =?UTF-8?q?=E6=A0=8F=E5=8F=98=E9=87=8F=EF=BC=88=E5=8E=BB=E9=87=8D=EF=BC=89?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../views/admin/platform_orders/form.blade.php | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/resources/views/admin/platform_orders/form.blade.php b/resources/views/admin/platform_orders/form.blade.php index 43b98f6..a235f15 100644 --- a/resources/views/admin/platform_orders/form.blade.php +++ b/resources/views/admin/platform_orders/form.blade.php @@ -132,18 +132,20 @@
@php $incomingBack = (string) ($defaults['back'] ?? ''); - // 为避免 & 被 Blade escape 成 & 导致回退上下文丢失,这里需要原样输出 href。 - // 安全护栏:必须为站内相对路径,并拒绝引号/尖括号,降低 XSS 风险。 - $safeBack = (str_starts_with($incomingBack, '/') - && !preg_match('/["\'<>]/', $incomingBack) - // back 本身不应再包含 back(避免无限嵌套导致 URL 膨胀) - && !preg_match('/(?:^|[?&])back=/', $incomingBack)) + // back 安全护栏: + // - 仅允许站内相对路径(/ 开头) + // - 拒绝引号/尖括号 + // - 拒绝 nested back=(避免 URL 膨胀/绕过) + // 说明:此处 href 采用原样输出以避免 & 影响回链/断言。 + $safeBackForLinks = (str_starts_with($incomingBack, '/') + && !preg_match('/["\'<>]/', $incomingBack) + && !preg_match('/(?:^|[?&])back=/', $incomingBack)) ? $incomingBack : ''; @endphp - @if($safeBack) - 返回(保留上下文) + @if($safeBackForLinks !== '') + 返回(保留上下文) @else 返回 @endif