From e7070fee759486ad45baf5678495d57578ff9c06 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E8=90=9D=E5=8D=9C?= Date: Sat, 14 Mar 2026 16:55:23 +0000 Subject: [PATCH] =?UTF-8?q?=E7=BA=BF=E7=B4=A2=E5=88=97=E8=A1=A8=EF=BC=9A?= =?UTF-8?q?=E5=A4=8D=E7=94=A8safeBackForLinks=E6=B8=B2=E6=9F=93=E8=BF=94?= =?UTF-8?q?=E5=9B=9E/=E7=AD=9B=E9=80=89back=EF=BC=88=E5=8E=BB=E9=87=8D?= =?UTF-8?q?=EF=BC=89?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../views/admin/platform_leads/index.blade.php | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/resources/views/admin/platform_leads/index.blade.php b/resources/views/admin/platform_leads/index.blade.php index 9f7fe5d..f6facd2 100644 --- a/resources/views/admin/platform_leads/index.blade.php +++ b/resources/views/admin/platform_leads/index.blade.php @@ -5,16 +5,17 @@ @section('content') @php + // back 安全护栏(全页通用): + // - 仅允许站内相对路径(/ 开头) + // - 拒绝引号/尖括号(由于本页大量 href 采用 `{!! !!}` 原样输出,必须严控注入风险) + // - 拒绝 nested back=(避免 URL 膨胀/绕过) $incomingBack = (string) request()->query('back', ''); - // 为避免 & 被 Blade escape 成 & 导致回退上下文丢失,这里需要原样输出 href。 - // 安全护栏:必须为站内相对路径,并拒绝引号/尖括号,且拒绝 nested back。 - $safeBack = (str_starts_with($incomingBack, '/') + $safeBackForLinks = (str_starts_with($incomingBack, '/') && !preg_match('/["\'<>]/', $incomingBack) && !preg_match('/(?:^|[?&])back=/', $incomingBack)) ? $incomingBack : ''; - // back 参数用于“返回上一页(保留上下文)”,但 back 本身不应再包含 back(避免无限嵌套导致 URL 膨胀) $currentQuery = request()->query(); unset($currentQuery['back']); @@ -61,9 +62,9 @@

对外平台(/platform)收集的开通意向线索,用于前期 A(站点开通型)人工运营承接。

- @if($safeBack) + @if($safeBackForLinks !== '')
- ← 返回上一页(保留上下文) + ← 返回上一页(保留上下文)
@endif

后续会在此处逐步接入:一键生成站点/订阅/平台订单、跟进记录、转化漏斗与治理提示。

@@ -72,8 +73,8 @@

筛选

- @if($safeBack) - + @if($safeBackForLinks !== '') + @endif