fix(back): 拒绝 nested back 参数避免回退 URL 膨胀（plans/platform-orders）

2026-03-14 02:07:04 +00:00
parent 6c8d78d981
commit 56bf040252
4 changed files with 61 additions and 6 deletions
--- a/tests/Feature/AdminPlanControllerBackValidationTest.php
+++ b/tests/Feature/AdminPlanControllerBackValidationTest.php
@@ -33,6 +33,19 @@ class AdminPlanControllerBackValidationTest extends TestCase
        $res->assertDontSee($unsafeBack, false);
    }

+    public function test_create_should_not_echo_back_when_back_contains_nested_back_param(): void
+    {
+        $this->loginAsPlatformAdmin();
+
+        $nestedBack = '/admin/platform-orders?status=pending&back=/admin/plans';
+
+        $res = $this->get('/admin/plans/create?back=' . urlencode($nestedBack));
+        $res->assertOk();
+
+        $res->assertDontSee('name="back"', false);
+        $res->assertDontSee($nestedBack, false);
+    }
+
    public function test_store_should_ignore_unsafe_back_and_redirect_to_index(): void
    {
        $this->loginAsPlatformAdmin();
--- a/tests/Feature/AdminPlatformOrderCreateBackValidationTest.php
+++ b/tests/Feature/AdminPlatformOrderCreateBackValidationTest.php
@@ -35,4 +35,18 @@ class AdminPlatformOrderCreateBackValidationTest extends TestCase
        // 返回按钮应回退到默认列表
        $res->assertSee('href="/admin/platform-orders"', false);
    }
+
+    public function test_create_should_not_echo_back_when_back_contains_nested_back_param(): void
+    {
+        $this->loginAsPlatformAdmin();
+
+        $nestedBack = '/admin/site-subscriptions?status=activated&back=/admin/platform-orders';
+
+        $res = $this->get('/admin/platform-orders/create?back=' . urlencode($nestedBack));
+        $res->assertOk();
+
+        $res->assertDontSee('name="back"', false);
+        $res->assertDontSee($nestedBack, false);
+        $res->assertSee('href="/admin/platform-orders"', false);
+    }
 }