fix(admin plans form): sanitize back hidden input
This commit is contained in:
萝卜
@@ -12,9 +12,18 @@
|
||||
<form method="post" action="{{ $formAction }}" class="card form-grid">
|
||||
@csrf
|
||||
|
||||
@php $back = (string) ($back ?? ''); @endphp
|
||||
@if($back !== '')
|
||||
<input type="hidden" name="back" value="{{ $back }}">
|
||||
@php
|
||||
$back = (string) ($back ?? '');
|
||||
// back 作为隐藏字段用于 store 后跳转回来源页:同样需要安全护栏
|
||||
$safeBack = (str_starts_with($back, '/')
|
||||
&& !preg_match('/["\'<>]/', $back)
|
||||
// back 本身不应再包含 back(避免无限嵌套导致 URL 膨胀)
|
||||
&& !preg_match('/(?:^|[?&])back=/', $back))
|
||||
? $back
|
||||
: '';
|
||||
@endphp
|
||||
@if($safeBack !== '')
|
||||
<input type="hidden" name="back" value="{{ $safeBack }}">
|
||||
@endif
|
||||
|
||||
<label>
|
||||
|
||||
Reference in New Issue
Block a user