From 0f9bc85eda8e0c1bbbe168aa09f845765017bf41 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E8=90=9D=E5=8D=9C?= <dev@saasshop.local>
Date: Sat, 14 Mar 2026 01:29:13 +0000
Subject: [PATCH] =?UTF-8?q?test(back):=20PlanController=20back=20=E5=BC=BA?=
 =?UTF-8?q?=E6=A0=A1=E9=AA=8C=E6=8A=A4=E6=A0=8F=EF=BC=88=E6=8B=92=E7=BB=9D?=
 =?UTF-8?q?=E5=BC=95=E5=8F=B7/=E5=B0=96=E6=8B=AC=E5=8F=B7=EF=BC=89?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../AdminPlanControllerBackValidationTest.php | 58 +++++++++++++++++++
 1 file changed, 58 insertions(+)
 create mode 100644 tests/Feature/AdminPlanControllerBackValidationTest.php

diff --git a/tests/Feature/AdminPlanControllerBackValidationTest.php b/tests/Feature/AdminPlanControllerBackValidationTest.php
new file mode 100644
index 0000000..c5d68ca
--- /dev/null
+++ b/tests/Feature/AdminPlanControllerBackValidationTest.php
@@ -0,0 +1,58 @@
+<?php
+
+namespace Tests\Feature;
+
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Tests\TestCase;
+
+class AdminPlanControllerBackValidationTest extends TestCase
+{
+    use RefreshDatabase;
+
+    protected function loginAsPlatformAdmin(): void
+    {
+        $this->seed();
+
+        $this->post('/admin/login', [
+            'email' => 'platform.admin@demo.local',
+            'password' => 'Platform@123456',
+        ])->assertRedirect('/admin');
+    }
+
+    public function test_create_should_not_echo_back_when_back_contains_quotes_or_brackets(): void
+    {
+        $this->loginAsPlatformAdmin();
+
+        $unsafeBack = '/admin/platform-orders?keyword="x"&a=<b>';
+
+        $res = $this->get('/admin/plans/create?back=' . urlencode($unsafeBack));
+        $res->assertOk();
+
+        // form hidden input 不应出现 unsafe back
+        $res->assertDontSee('name="back"', false);
+        $res->assertDontSee($unsafeBack, false);
+    }
+
+    public function test_store_should_ignore_unsafe_back_and_redirect_to_index(): void
+    {
+        $this->loginAsPlatformAdmin();
+
+        $unsafeBack = '/admin/platform-orders?keyword="x"&a=<b>';
+
+        $res = $this->post('/admin/plans', [
+            'code' => 'plan_back_unsafe_01',
+            'name' => 'plan back unsafe',
+            'billing_cycle' => 'monthly',
+            'price' => 10,
+            'list_price' => 10,
+            'status' => 'active',
+            'sort' => 10,
+            'description' => '',
+            'published_at' => now()->toDateTimeString(),
+            'back' => $unsafeBack,
+        ]);
+
+        // unsafe back 应被忽略，回到列表页
+        $res->assertRedirect('/admin/plans');
+    }
+}