fix(back): 套餐表单返回链接原样输出避免 & + 护栏测试
This commit is contained in:
萝卜
@@ -76,7 +76,8 @@
|
|||||||
$backUrl = $back !== '' ? $back : '/admin/plans';
|
$backUrl = $back !== '' ? $back : '/admin/plans';
|
||||||
@endphp
|
@endphp
|
||||||
<div class="form-actions">
|
<div class="form-actions">
|
||||||
<a href="{{ $backUrl }}" class="btn-secondary">返回</a>
|
{{-- back 可能包含 query(含 &),此处需原样输出,避免 Blade escape 成 & 导致回退上下文丢失。--}}
|
||||||
|
<a href="{!! $backUrl !!}" class="btn-secondary">返回</a>
|
||||||
<button type="submit">保存套餐</button>
|
<button type="submit">保存套餐</button>
|
||||||
</div>
|
</div>
|
||||||
</form>
|
</form>
|
||||||
|
|||||||
59
tests/Feature/AdminPlanFormBackLinkNotEscapedTest.php
Normal file
59
tests/Feature/AdminPlanFormBackLinkNotEscapedTest.php
Normal file
@@ -0,0 +1,59 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
namespace Tests\Feature;
|
||||||
|
|
||||||
|
use App\Models\Plan;
|
||||||
|
use Illuminate\Foundation\Testing\RefreshDatabase;
|
||||||
|
use Tests\TestCase;
|
||||||
|
|
||||||
|
class AdminPlanFormBackLinkNotEscapedTest extends TestCase
|
||||||
|
{
|
||||||
|
use RefreshDatabase;
|
||||||
|
|
||||||
|
protected function loginAsPlatformAdmin(): void
|
||||||
|
{
|
||||||
|
$this->seed();
|
||||||
|
|
||||||
|
$this->post('/admin/login', [
|
||||||
|
'email' => 'platform.admin@demo.local',
|
||||||
|
'password' => 'Platform@123456',
|
||||||
|
])->assertRedirect('/admin');
|
||||||
|
}
|
||||||
|
|
||||||
|
public function test_create_form_back_link_should_not_escape_ampersand(): void
|
||||||
|
{
|
||||||
|
$this->loginAsPlatformAdmin();
|
||||||
|
|
||||||
|
$back = '/admin/plans?status=active&keyword=test';
|
||||||
|
|
||||||
|
$res = $this->get('/admin/plans/create?back=' . urlencode($back));
|
||||||
|
$res->assertOk();
|
||||||
|
|
||||||
|
$res->assertSee('href="' . $back . '"', false);
|
||||||
|
$res->assertDontSee('href="' . str_replace('&', '&', $back) . '"', false);
|
||||||
|
}
|
||||||
|
|
||||||
|
public function test_edit_form_back_link_should_not_escape_ampersand(): void
|
||||||
|
{
|
||||||
|
$this->loginAsPlatformAdmin();
|
||||||
|
|
||||||
|
$plan = Plan::query()->create([
|
||||||
|
'code' => 'plan_form_back_01',
|
||||||
|
'name' => 'plan form back',
|
||||||
|
'billing_cycle' => 'monthly',
|
||||||
|
'price' => 10,
|
||||||
|
'list_price' => 10,
|
||||||
|
'status' => 'active',
|
||||||
|
'sort' => 10,
|
||||||
|
'published_at' => now(),
|
||||||
|
]);
|
||||||
|
|
||||||
|
$back = '/admin/plans?status=inactive&keyword=test';
|
||||||
|
|
||||||
|
$res = $this->get('/admin/plans/' . $plan->id . '/edit?back=' . urlencode($back));
|
||||||
|
$res->assertOk();
|
||||||
|
|
||||||
|
$res->assertSee('href="' . $back . '"', false);
|
||||||
|
$res->assertDontSee('href="' . str_replace('&', '&', $back) . '"', false);
|
||||||
|
}
|
||||||
|
}
|
||||||
Reference in New Issue
Block a user