平台订单详情 back 安全：补充协议相对 URL（//evil.com）应被拒绝的测试护栏

2026-03-15 04:29:01 +00:00
parent a0039cf543
commit 90bb9259d8
1 changed files with 5 additions and 0 deletions
--- a/tests/Feature/AdminPlatformOrderShowBackLinkTest.php
+++ b/tests/Feature/AdminPlatformOrderShowBackLinkTest.php
@@ -98,5 +98,10 @@ class AdminPlatformOrderShowBackLinkTest extends TestCase
        $this->get('/admin/platform-orders/' . $order->id . '?back=https://evil.example.com')
            ->assertOk()
            ->assertDontSee('返回上一页（保留上下文）');
+
+        // 协议相对 URL 也应被拒绝
+        $this->get('/admin/platform-orders/' . $order->id . '?back=' . urlencode('//evil.example.com/a'))
+            ->assertOk()
+            ->assertDontSee('返回上一页（保留上下文）');
    }
 }