From 9e8951ee4363c13ec9cf79215b1950f7940d575e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E8=90=9D=E5=8D=9C?= <dev@saasshop.local>
Date: Sat, 14 Mar 2026 01:31:04 +0000
Subject: [PATCH] =?UTF-8?q?fix(back):=20=E5=A5=97=E9=A4=90=E8=A1=A8?=
 =?UTF-8?q?=E5=8D=95=E8=BF=94=E5=9B=9E=E9=93=BE=E6=8E=A5=E5=8E=9F=E6=A0=B7?=
 =?UTF-8?q?=E8=BE=93=E5=87=BA=E9=81=BF=E5=85=8D=20&amp;=20+=20=E6=8A=A4?=
 =?UTF-8?q?=E6=A0=8F=E6=B5=8B=E8=AF=95?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 resources/views/admin/plans/form.blade.php    |  3 +-
 .../AdminPlanFormBackLinkNotEscapedTest.php   | 59 +++++++++++++++++++
 2 files changed, 61 insertions(+), 1 deletion(-)
 create mode 100644 tests/Feature/AdminPlanFormBackLinkNotEscapedTest.php

diff --git a/resources/views/admin/plans/form.blade.php b/resources/views/admin/plans/form.blade.php
index d806fd5..d89d921 100644
--- a/resources/views/admin/plans/form.blade.php
+++ b/resources/views/admin/plans/form.blade.php
@@ -76,7 +76,8 @@
         $backUrl = $back !== '' ? $back : '/admin/plans';
     @endphp
     <div class="form-actions">
-        <a href="{{ $backUrl }}" class="btn-secondary">返回</a>
+        {{-- back 可能包含 query（含 &），此处需原样输出，避免 Blade escape 成 &amp; 导致回退上下文丢失。--}}
+        <a href="{!! $backUrl !!}" class="btn-secondary">返回</a>
         <button type="submit">保存套餐</button>
     </div>
 </form>
diff --git a/tests/Feature/AdminPlanFormBackLinkNotEscapedTest.php b/tests/Feature/AdminPlanFormBackLinkNotEscapedTest.php
new file mode 100644
index 0000000..e413c6f
--- /dev/null
+++ b/tests/Feature/AdminPlanFormBackLinkNotEscapedTest.php
@@ -0,0 +1,59 @@
+<?php
+
+namespace Tests\Feature;
+
+use App\Models\Plan;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Tests\TestCase;
+
+class AdminPlanFormBackLinkNotEscapedTest extends TestCase
+{
+    use RefreshDatabase;
+
+    protected function loginAsPlatformAdmin(): void
+    {
+        $this->seed();
+
+        $this->post('/admin/login', [
+            'email' => 'platform.admin@demo.local',
+            'password' => 'Platform@123456',
+        ])->assertRedirect('/admin');
+    }
+
+    public function test_create_form_back_link_should_not_escape_ampersand(): void
+    {
+        $this->loginAsPlatformAdmin();
+
+        $back = '/admin/plans?status=active&keyword=test';
+
+        $res = $this->get('/admin/plans/create?back=' . urlencode($back));
+        $res->assertOk();
+
+        $res->assertSee('href="' . $back . '"', false);
+        $res->assertDontSee('href="' . str_replace('&', '&amp;', $back) . '"', false);
+    }
+
+    public function test_edit_form_back_link_should_not_escape_ampersand(): void
+    {
+        $this->loginAsPlatformAdmin();
+
+        $plan = Plan::query()->create([
+            'code' => 'plan_form_back_01',
+            'name' => 'plan form back',
+            'billing_cycle' => 'monthly',
+            'price' => 10,
+            'list_price' => 10,
+            'status' => 'active',
+            'sort' => 10,
+            'published_at' => now(),
+        ]);
+
+        $back = '/admin/plans?status=inactive&keyword=test';
+
+        $res = $this->get('/admin/plans/' . $plan->id . '/edit?back=' . urlencode($back));
+        $res->assertOk();
+
+        $res->assertSee('href="' . $back . '"', false);
+        $res->assertDontSee('href="' . str_replace('&', '&amp;', $back) . '"', false);
+    }
+}