From 90bb9259d8e427171623d01573582087274c9c2f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E8=90=9D=E5=8D=9C?= <dev@saasshop.local>
Date: Sun, 15 Mar 2026 04:29:01 +0000
Subject: [PATCH] =?UTF-8?q?=E5=B9=B3=E5=8F=B0=E8=AE=A2=E5=8D=95=E8=AF=A6?=
 =?UTF-8?q?=E6=83=85=20back=20=E5=AE=89=E5=85=A8=EF=BC=9A=E8=A1=A5?=
 =?UTF-8?q?=E5=85=85=E5=8D=8F=E8=AE=AE=E7=9B=B8=E5=AF=B9=20URL=EF=BC=88//e?=
 =?UTF-8?q?vil.com=EF=BC=89=E5=BA=94=E8=A2=AB=E6=8B=92=E7=BB=9D=E7=9A=84?=
 =?UTF-8?q?=E6=B5=8B=E8=AF=95=E6=8A=A4=E6=A0=8F?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 tests/Feature/AdminPlatformOrderShowBackLinkTest.php | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/tests/Feature/AdminPlatformOrderShowBackLinkTest.php b/tests/Feature/AdminPlatformOrderShowBackLinkTest.php
index 9078128..3222d76 100644
--- a/tests/Feature/AdminPlatformOrderShowBackLinkTest.php
+++ b/tests/Feature/AdminPlatformOrderShowBackLinkTest.php
@@ -98,5 +98,10 @@ class AdminPlatformOrderShowBackLinkTest extends TestCase
         $this->get('/admin/platform-orders/' . $order->id . '?back=https://evil.example.com')
             ->assertOk()
             ->assertDontSee('返回上一页（保留上下文）');
+
+        // 协议相对 URL 也应被拒绝
+        $this->get('/admin/platform-orders/' . $order->id . '?back=' . urlencode('//evil.example.com/a'))
+            ->assertOk()
+            ->assertDontSee('返回上一页（保留上下文）');
     }
 }