diff --git a/resources/views/admin/plans/form.blade.php b/resources/views/admin/plans/form.blade.php index d806fd5..d89d921 100644 --- a/resources/views/admin/plans/form.blade.php +++ b/resources/views/admin/plans/form.blade.php @@ -76,7 +76,8 @@ $backUrl = $back !== '' ? $back : '/admin/plans'; @endphp
- 返回 + {{-- back 可能包含 query(含 &),此处需原样输出,避免 Blade escape 成 & 导致回退上下文丢失。--}} + 返回
diff --git a/tests/Feature/AdminPlanFormBackLinkNotEscapedTest.php b/tests/Feature/AdminPlanFormBackLinkNotEscapedTest.php new file mode 100644 index 0000000..e413c6f --- /dev/null +++ b/tests/Feature/AdminPlanFormBackLinkNotEscapedTest.php @@ -0,0 +1,59 @@ +seed(); + + $this->post('/admin/login', [ + 'email' => 'platform.admin@demo.local', + 'password' => 'Platform@123456', + ])->assertRedirect('/admin'); + } + + public function test_create_form_back_link_should_not_escape_ampersand(): void + { + $this->loginAsPlatformAdmin(); + + $back = '/admin/plans?status=active&keyword=test'; + + $res = $this->get('/admin/plans/create?back=' . urlencode($back)); + $res->assertOk(); + + $res->assertSee('href="' . $back . '"', false); + $res->assertDontSee('href="' . str_replace('&', '&', $back) . '"', false); + } + + public function test_edit_form_back_link_should_not_escape_ampersand(): void + { + $this->loginAsPlatformAdmin(); + + $plan = Plan::query()->create([ + 'code' => 'plan_form_back_01', + 'name' => 'plan form back', + 'billing_cycle' => 'monthly', + 'price' => 10, + 'list_price' => 10, + 'status' => 'active', + 'sort' => 10, + 'published_at' => now(), + ]); + + $back = '/admin/plans?status=inactive&keyword=test'; + + $res = $this->get('/admin/plans/' . $plan->id . '/edit?back=' . urlencode($back)); + $res->assertOk(); + + $res->assertSee('href="' . $back . '"', false); + $res->assertDontSee('href="' . str_replace('&', '&', $back) . '"', false); + } +}