订阅页 back 安全护栏：快捷筛选仅透传安全 back（补测试）

2026-03-14 15:45:20 +00:00
parent 08488257ca
commit 2d10c80f2b
2 changed files with 65 additions and 13 deletions
--- a/tests/Feature/AdminSiteSubscriptionIndexUnsafeBackShouldBeDroppedForLinksTest.php
+++ b/tests/Feature/AdminSiteSubscriptionIndexUnsafeBackShouldBeDroppedForLinksTest.php
@@ -0,0 +1,47 @@
+<?php
+
+namespace Tests\Feature;
+
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use PHPUnit\Framework\Attributes\DataProvider;
+use Tests\TestCase;
+
+class AdminSiteSubscriptionIndexUnsafeBackShouldBeDroppedForLinksTest extends TestCase
+{
+    use RefreshDatabase;
+
+    protected function loginAsPlatformAdmin(): void
+    {
+        $this->seed();
+
+        $this->post('/admin/login', [
+            'email' => 'platform.admin@demo.local',
+            'password' => 'Platform@123456',
+        ])->assertRedirect('/admin');
+    }
+
+    public static function invalidBackProvider(): array
+    {
+        return [
+            'contains quote' => ['/' . 'admin/site-subscriptions?x="y"'],
+            'contains angle bracket' => ['/admin/site-subscriptions?x=<script>'],
+            'nested back param' => ['/admin/site-subscriptions?status=active&back=/admin/platform-orders'],
+            'absolute url' => ['https://evil.example.com'],
+        ];
+    }
+
+    #[DataProvider('invalidBackProvider')]
+    public function test_index_should_drop_unsafe_back_for_links(string $back): void
+    {
+        $this->loginAsPlatformAdmin();
+
+        $res = $this->get('/admin/site-subscriptions?back=' . urlencode($back));
+        $res->assertOk();
+
+        // 不应渲染 back 回退入口
+        $res->assertDontSee('返回上一页（保留上下文）');
+
+        // 快捷筛选/全部链接不应透传 unsafe back
+        $res->assertDontSee('back=' . $back, false);
+    }
+}