From 9b46699ed772c7f24983b4fcf2248963bf3dabd5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E8=90=9D=E5=8D=9C?= <dev@saasshop.local>
Date: Fri, 20 Mar 2026 09:13:56 +0800
Subject: [PATCH] =?UTF-8?q?=E8=A1=A5=E9=BD=90=E5=B9=B3=E5=8F=B0=E8=AE=A2?=
 =?UTF-8?q?=E5=8D=95=E8=AF=A6=E6=83=85=E9=A1=B5=E5=95=86=E5=AE=B6=E5=A5=97?=
 =?UTF-8?q?=E9=A4=90=E5=9B=9E=E9=93=BE=E6=B5=8B=E8=AF=95?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 ...erShowMerchantPlanLinksContainBackTest.php | 58 +++++++++++++++++++
 1 file changed, 58 insertions(+)

diff --git a/tests/Feature/AdminPlatformOrderShowMerchantPlanLinksContainBackTest.php b/tests/Feature/AdminPlatformOrderShowMerchantPlanLinksContainBackTest.php
index 306c708..3793181 100644
--- a/tests/Feature/AdminPlatformOrderShowMerchantPlanLinksContainBackTest.php
+++ b/tests/Feature/AdminPlatformOrderShowMerchantPlanLinksContainBackTest.php
@@ -75,4 +75,62 @@ class AdminPlatformOrderShowMerchantPlanLinksContainBackTest extends TestCase
         $res->assertSee($expectedMerchantUrl, false);
         $res->assertSee($expectedPlanUrl, false);
     }
+
+    public function test_show_page_merchant_and_plan_links_should_still_use_order_show_self_back_when_outer_back_is_unsafe(): void
+    {
+        $this->loginAsPlatformAdmin();
+
+        $merchant = Merchant::query()->firstOrFail();
+
+        $plan = Plan::query()->create([
+            'code' => 'po_show_merchant_plan_unsafe_back_test',
+            'name' => '平台订单详情商家/套餐 unsafe back 链接测试套餐',
+            'billing_cycle' => 'monthly',
+            'price' => 10,
+            'list_price' => 10,
+            'status' => 'active',
+            'sort' => 10,
+            'published_at' => now(),
+        ]);
+
+        $order = PlatformOrder::query()->create([
+            'merchant_id' => $merchant->id,
+            'plan_id' => $plan->id,
+            'order_no' => 'PO_SHOW_MERCHANT_PLAN_BACK_0002',
+            'order_type' => 'new_purchase',
+            'status' => 'pending',
+            'payment_status' => 'unpaid',
+            'plan_name' => $plan->name,
+            'billing_cycle' => $plan->billing_cycle,
+            'period_months' => 1,
+            'quantity' => 1,
+            'payable_amount' => 10,
+            'paid_amount' => 0,
+            'placed_at' => now(),
+            'meta' => [],
+        ]);
+
+        $unsafeBack = '/admin/platform-orders?' . Arr::query([
+            'status' => 'pending',
+            'back' => '/admin',
+        ]);
+
+        $res = $this->get('/admin/platform-orders/' . $order->id . '?back=' . urlencode($unsafeBack));
+        $res->assertOk();
+
+        $expectedMerchantUrl = '/admin/platform-orders?' . Arr::query([
+            'merchant_id' => $merchant->id,
+            'back' => '/admin/platform-orders/' . $order->id,
+        ]);
+
+        $expectedPlanUrl = '/admin/platform-orders?' . Arr::query([
+            'plan_id' => $plan->id,
+            'back' => '/admin/platform-orders/' . $order->id,
+        ]);
+
+        $res->assertSee($expectedMerchantUrl, false);
+        $res->assertSee($expectedPlanUrl, false);
+        $res->assertDontSee('back=' . $unsafeBack, false);
+        $res->assertDontSee('back%3D', false);
+    }
 }