fix(back): 套餐表单返回链接原样输出避免 & + 护栏测试
This commit is contained in:
萝卜
@@ -76,7 +76,8 @@
|
||||
$backUrl = $back !== '' ? $back : '/admin/plans';
|
||||
@endphp
|
||||
<div class="form-actions">
|
||||
<a href="{{ $backUrl }}" class="btn-secondary">返回</a>
|
||||
{{-- back 可能包含 query(含 &),此处需原样输出,避免 Blade escape 成 & 导致回退上下文丢失。--}}
|
||||
<a href="{!! $backUrl !!}" class="btn-secondary">返回</a>
|
||||
<button type="submit">保存套餐</button>
|
||||
</div>
|
||||
</form>
|
||||
|
||||
59
tests/Feature/AdminPlanFormBackLinkNotEscapedTest.php
Normal file
59
tests/Feature/AdminPlanFormBackLinkNotEscapedTest.php
Normal file
@@ -0,0 +1,59 @@
|
||||
<?php
|
||||
|
||||
namespace Tests\Feature;
|
||||
|
||||
use App\Models\Plan;
|
||||
use Illuminate\Foundation\Testing\RefreshDatabase;
|
||||
use Tests\TestCase;
|
||||
|
||||
class AdminPlanFormBackLinkNotEscapedTest extends TestCase
|
||||
{
|
||||
use RefreshDatabase;
|
||||
|
||||
protected function loginAsPlatformAdmin(): void
|
||||
{
|
||||
$this->seed();
|
||||
|
||||
$this->post('/admin/login', [
|
||||
'email' => 'platform.admin@demo.local',
|
||||
'password' => 'Platform@123456',
|
||||
])->assertRedirect('/admin');
|
||||
}
|
||||
|
||||
public function test_create_form_back_link_should_not_escape_ampersand(): void
|
||||
{
|
||||
$this->loginAsPlatformAdmin();
|
||||
|
||||
$back = '/admin/plans?status=active&keyword=test';
|
||||
|
||||
$res = $this->get('/admin/plans/create?back=' . urlencode($back));
|
||||
$res->assertOk();
|
||||
|
||||
$res->assertSee('href="' . $back . '"', false);
|
||||
$res->assertDontSee('href="' . str_replace('&', '&', $back) . '"', false);
|
||||
}
|
||||
|
||||
public function test_edit_form_back_link_should_not_escape_ampersand(): void
|
||||
{
|
||||
$this->loginAsPlatformAdmin();
|
||||
|
||||
$plan = Plan::query()->create([
|
||||
'code' => 'plan_form_back_01',
|
||||
'name' => 'plan form back',
|
||||
'billing_cycle' => 'monthly',
|
||||
'price' => 10,
|
||||
'list_price' => 10,
|
||||
'status' => 'active',
|
||||
'sort' => 10,
|
||||
'published_at' => now(),
|
||||
]);
|
||||
|
||||
$back = '/admin/plans?status=inactive&keyword=test';
|
||||
|
||||
$res = $this->get('/admin/plans/' . $plan->id . '/edit?back=' . urlencode($back));
|
||||
$res->assertOk();
|
||||
|
||||
$res->assertSee('href="' . $back . '"', false);
|
||||
$res->assertDontSee('href="' . str_replace('&', '&', $back) . '"', false);
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user