From f28025dd73be26d303fcf3467135832ba978e9d5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E8=90=9D=E5=8D=9C?= Date: Sat, 14 Mar 2026 05:05:34 +0000 Subject: [PATCH] =?UTF-8?q?chore(admin):=20=E8=AE=A2=E5=8D=95=E8=AF=A6?= =?UTF-8?q?=E6=83=85=20back=20=E5=BC=BA=E6=A0=A1=E9=AA=8C+=E7=BA=BF?= =?UTF-8?q?=E7=B4=A2=E6=8F=90=E7=A4=BA=EF=BC=88=E6=9D=A5=E8=87=AA=E5=88=97?= =?UTF-8?q?=E8=A1=A8lead=5Fid=E8=8C=83=E5=9B=B4=EF=BC=89?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../admin/platform_orders/show.blade.php | 21 ++++- ...owBackSafetyValveRejectsNestedBackTest.php | 76 ++++++++++++++++++ ...latformOrderShowLeadIdFromBackHintTest.php | 79 +++++++++++++++++++ 3 files changed, 174 insertions(+), 2 deletions(-) create mode 100644 tests/Feature/AdminPlatformOrderShowBackSafetyValveRejectsNestedBackTest.php create mode 100644 tests/Feature/AdminPlatformOrderShowLeadIdFromBackHintTest.php diff --git a/resources/views/admin/platform_orders/show.blade.php b/resources/views/admin/platform_orders/show.blade.php index 7fb0b5d..74250c6 100644 --- a/resources/views/admin/platform_orders/show.blade.php +++ b/resources/views/admin/platform_orders/show.blade.php @@ -669,12 +669,29 @@
@php $back = (string) request()->query('back', ''); - // back 安全校验:只接受相对路径,且拒绝引号/尖括号,避免潜在 XSS(由于下方 href 采用原样输出以避免 & 影响断言) - $safeBack = (str_starts_with($back, '/') && !preg_match('/["\'<>]/', $back)) ? $back : ''; + // back 安全校验:只接受相对路径,且拒绝引号/尖括号,并拒绝 nested back,避免潜在 XSS/URL 膨胀。 + // 说明:下方 href 采用原样输出以避免 & 影响断言。 + $safeBack = (str_starts_with($back, '/') + && !preg_match('/["\'<>]/', $back) + && !preg_match('/(?:^|[?&])back=/', $back)) + ? $back + : ''; + + // 若 back 指向的平台订单列表带 lead_id,则在详情页也提示当前来源线索(更不迷路)。 + $leadIdFromBack = 0; + if ($safeBack !== '') { + $parts = parse_url($safeBack); + parse_str((string) ($parts['query'] ?? ''), $q); + $leadIdFromBack = (int) ($q['lead_id'] ?? 0); + } @endphp @if($safeBack) ← 返回上一页(保留上下文) + @if($leadIdFromBack > 0) + + 来源线索:#{{ $leadIdFromBack }} + @endif @endif diff --git a/tests/Feature/AdminPlatformOrderShowBackSafetyValveRejectsNestedBackTest.php b/tests/Feature/AdminPlatformOrderShowBackSafetyValveRejectsNestedBackTest.php new file mode 100644 index 0000000..fecf3bd --- /dev/null +++ b/tests/Feature/AdminPlatformOrderShowBackSafetyValveRejectsNestedBackTest.php @@ -0,0 +1,76 @@ +seed(); + + $this->post('/admin/login', [ + 'email' => 'platform.admin@demo.local', + 'password' => 'Platform@123456', + ])->assertRedirect('/admin'); + } + + public function test_show_should_not_render_back_link_when_back_contains_nested_back(): void + { + $this->loginAsPlatformAdmin(); + + $merchant = Merchant::query()->firstOrFail(); + + $plan = Plan::query()->create([ + 'code' => 'show_back_nested_plan', + 'name' => '订单详情back嵌套测试套餐', + 'billing_cycle' => 'monthly', + 'price' => 10, + 'list_price' => 10, + 'status' => 'active', + 'sort' => 10, + 'published_at' => now(), + ]); + + $order = PlatformOrder::query()->create([ + 'merchant_id' => $merchant->id, + 'plan_id' => $plan->id, + 'site_subscription_id' => null, + 'created_by_admin_id' => 1, + 'order_no' => 'PO_SHOW_BACK_NESTED_0001', + 'order_type' => 'new_purchase', + 'status' => 'pending', + 'payment_status' => 'unpaid', + 'payment_channel' => null, + 'plan_name' => $plan->name, + 'billing_cycle' => $plan->billing_cycle, + 'period_months' => 1, + 'quantity' => 1, + 'list_amount' => 10, + 'discount_amount' => 0, + 'payable_amount' => 10, + 'paid_amount' => 0, + 'placed_at' => now(), + 'plan_snapshot' => ['plan_id' => $plan->id], + 'meta' => [], + 'remark' => 'test', + ]); + + $nestedBack = '/admin/platform-orders?back=' . urlencode('/admin'); + + $res = $this->get('/admin/platform-orders/' . $order->id . '?' . Arr::query([ + 'back' => $nestedBack, + ])); + + $res->assertOk(); + $res->assertDontSee('返回上一页(保留上下文)', false); + } +} diff --git a/tests/Feature/AdminPlatformOrderShowLeadIdFromBackHintTest.php b/tests/Feature/AdminPlatformOrderShowLeadIdFromBackHintTest.php new file mode 100644 index 0000000..a582e7f --- /dev/null +++ b/tests/Feature/AdminPlatformOrderShowLeadIdFromBackHintTest.php @@ -0,0 +1,79 @@ +seed(); + + $this->post('/admin/login', [ + 'email' => 'platform.admin@demo.local', + 'password' => 'Platform@123456', + ])->assertRedirect('/admin'); + } + + public function test_show_should_render_lead_hint_when_back_contains_lead_id(): void + { + $this->loginAsPlatformAdmin(); + + $merchant = Merchant::query()->firstOrFail(); + + $plan = Plan::query()->create([ + 'code' => 'show_back_lead_plan', + 'name' => '订单详情back线索提示测试套餐', + 'billing_cycle' => 'monthly', + 'price' => 10, + 'list_price' => 10, + 'status' => 'active', + 'sort' => 10, + 'published_at' => now(), + ]); + + $order = PlatformOrder::query()->create([ + 'merchant_id' => $merchant->id, + 'plan_id' => $plan->id, + 'site_subscription_id' => null, + 'created_by_admin_id' => 1, + 'order_no' => 'PO_SHOW_BACK_LEAD_0001', + 'order_type' => 'new_purchase', + 'status' => 'pending', + 'payment_status' => 'unpaid', + 'payment_channel' => null, + 'plan_name' => $plan->name, + 'billing_cycle' => $plan->billing_cycle, + 'period_months' => 1, + 'quantity' => 1, + 'list_amount' => 10, + 'discount_amount' => 0, + 'payable_amount' => 10, + 'paid_amount' => 0, + 'placed_at' => now(), + 'plan_snapshot' => ['plan_id' => $plan->id], + 'meta' => [], + 'remark' => 'test', + ]); + + $back = '/admin/platform-orders?' . Arr::query([ + 'lead_id' => 12, + 'payment_status' => 'paid', + ]); + + $res = $this->get('/admin/platform-orders/' . $order->id . '?' . Arr::query([ + 'back' => $back, + ])); + + $res->assertOk(); + $res->assertSee('来源线索:#12', false); + } +}