platform_orders index: rollback tools layout wrapper; quick filters use safe back
This commit is contained in:
萝卜
@@ -0,0 +1,74 @@
|
||||
<?php
|
||||
|
||||
namespace Tests\Feature;
|
||||
|
||||
use Illuminate\Foundation\Testing\RefreshDatabase;
|
||||
use Tests\TestCase;
|
||||
|
||||
class AdminPlatformOrderIndexUnsafeBackShouldBeDroppedForLinksTest extends TestCase
|
||||
{
|
||||
use RefreshDatabase;
|
||||
|
||||
protected function loginAsPlatformAdmin(): void
|
||||
{
|
||||
$this->seed();
|
||||
|
||||
$this->post('/admin/login', [
|
||||
'email' => 'platform.admin@demo.local',
|
||||
'password' => 'Platform@123456',
|
||||
])->assertRedirect('/admin');
|
||||
}
|
||||
|
||||
public static function invalidBackProvider(): array
|
||||
{
|
||||
return [
|
||||
'contains_quote' => ['/admin/plans?x="'],
|
||||
'contains_tag' => ['/admin/plans?<script>alert(1)</script>'],
|
||||
'nested_back' => ['/admin/plans?back=/admin/platform-orders'],
|
||||
];
|
||||
}
|
||||
|
||||
/**
|
||||
* @dataProvider invalidBackProvider
|
||||
*/
|
||||
public function test_index_should_drop_unsafe_back_for_safe_full_url_with_query_links(string $invalidBack): void
|
||||
{
|
||||
$this->loginAsPlatformAdmin();
|
||||
|
||||
$res = $this->get('/admin/platform-orders?back=' . urlencode($invalidBack));
|
||||
$res->assertOk();
|
||||
|
||||
$html = (string) $res->getContent();
|
||||
|
||||
// unsafe back 时,不应渲染“返回上一页(保留上下文)”的可点击链接。
|
||||
// 注意:页面的说明文字中可能包含该文案,因此这里用正则只匹配 <a> 标签。
|
||||
$this->assertSame(
|
||||
0,
|
||||
preg_match('/<a[^>]+href="[^"]+"[^>]*>\s*← 返回上一页(保留上下文)\s*<\/a>/', $html),
|
||||
'unsafe back 时不应渲染可点击的返回链接'
|
||||
);
|
||||
|
||||
preg_match_all('/href="([^"]+)"/', $html, $matches);
|
||||
$hrefs = $matches[1] ?? [];
|
||||
|
||||
$found = false;
|
||||
foreach ($hrefs as $u) {
|
||||
if (!str_contains($u, '/admin/platform-orders')) {
|
||||
continue;
|
||||
}
|
||||
|
||||
$parts = parse_url($u);
|
||||
parse_str($parts['query'] ?? '', $q);
|
||||
|
||||
if (($q['payment_status'] ?? null) !== 'paid') {
|
||||
continue;
|
||||
}
|
||||
|
||||
$found = true;
|
||||
$this->assertArrayNotHasKey('back', $q, 'unsafe back 不应出现在 fullUrlWithQuery 类链接中');
|
||||
break;
|
||||
}
|
||||
|
||||
$this->assertTrue($found, '未找到 payment_status=paid 的链接用于断言 back 是否被移除');
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user