From ef8a0774423d2c0be6e650dae3a95c94948a437f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E8=90=9D=E5=8D=9C?= <dev@saasshop.local>
Date: Sat, 14 Mar 2026 17:05:58 +0000
Subject: [PATCH] =?UTF-8?q?=E8=AE=A2=E9=98=85=E8=AF=A6=E6=83=85=EF=BC=9A?=
 =?UTF-8?q?=E7=BB=9F=E4=B8=80safeBackForLinks=E6=8A=A4=E6=A0=8F=E5=8F=98?=
 =?UTF-8?q?=E9=87=8F=EF=BC=88=E5=8E=BB=E9=87=8D=EF=BC=89?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../admin/site_subscriptions/show.blade.php   | 27 ++++++++++---------
 1 file changed, 15 insertions(+), 12 deletions(-)

diff --git a/resources/views/admin/site_subscriptions/show.blade.php b/resources/views/admin/site_subscriptions/show.blade.php
index 6e054d1..dc83f91 100644
--- a/resources/views/admin/site_subscriptions/show.blade.php
+++ b/resources/views/admin/site_subscriptions/show.blade.php
@@ -119,18 +119,21 @@
 
     <div class="mt-10">
         @php
-            $back = (string) request()->query('back', '');
-            // back 安全校验：只接受相对路径，且拒绝引号/尖括号（由于下方 href 采用原样输出以避免 &amp; 影响回链/断言）
-            $safeBack = (str_starts_with($back, '/')
-                && !preg_match('/["\'<>]/', $back)
-                // back 本身不应再包含 back（避免无限嵌套导致 URL 膨胀）
-                && !preg_match('/(?:^|[?&])back=/', $back))
-                ? $back
+            $incomingBack = (string) request()->query('back', '');
+            // back 安全护栏：
+            // - 仅允许站内相对路径（/ 开头）
+            // - 拒绝引号/尖括号
+            // - 拒绝 nested back=（避免 URL 膨胀/绕过）
+            // 说明：下方 href 采用原样输出以避免 &amp; 影响回链/断言。
+            $safeBackForLinks = (str_starts_with($incomingBack, '/')
+                && !preg_match('/["\'<>]/', $incomingBack)
+                && !preg_match('/(?:^|[?&])back=/', $incomingBack))
+                ? $incomingBack
                 : '';
         @endphp
 
-        @if($safeBack)
-            <a href="{!! $safeBack !!}" class="muted">← 返回上一页（保留上下文）</a>
+        @if($safeBackForLinks !== '')
+            <a href="{!! $safeBackForLinks !!}" class="muted">← 返回上一页（保留上下文）</a>
             <span class="muted">｜</span>
         @endif
 
@@ -413,7 +416,7 @@
             // 重要：这里的筛选链接需要保留 back，否则点击后会丢失“返回上一页（保留上下文）”能力。
             // 同时：href 中会包含多个 query 参数，必须使用 `{!! !!}` 原样输出，避免 `&` 被转义为 `&amp;`。
             $incomingBack = (string) request()->query('back', '');
-            $safeBack = (str_starts_with($incomingBack, '/')
+            $safeBackForLinks = (str_starts_with($incomingBack, '/')
                 && !preg_match('/["\'<>]/', $incomingBack)
                 && !preg_match('/(?:^|[?&])back=/', $incomingBack))
                 ? $incomingBack
@@ -422,8 +425,8 @@
             $baseQuery = request()->query();
             unset($baseQuery['order_sync_status']);
 
-            if ($safeBack !== '') {
-                $baseQuery['back'] = $safeBack;
+            if ($safeBackForLinks !== '') {
+                $baseQuery['back'] = $safeBackForLinks;
             } else {
                 unset($baseQuery['back']);
             }