From c9f04304a5d3863b2bcc66dc9a512c58be9199ef Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E8=90=9D=E5=8D=9C?= <dev@saasshop.local>
Date: Sat, 14 Mar 2026 01:42:11 +0000
Subject: [PATCH] =?UTF-8?q?test(back):=20=E5=A5=97=E9=A4=90=E8=A1=A8?=
 =?UTF-8?q?=E5=8D=95=20back=20hidden=20input=20=E4=BB=85=E5=9C=A8=20back?=
 =?UTF-8?q?=20=E9=9D=9E=E7=A9=BA=E6=97=B6=E6=B8=B2=E6=9F=93=EF=BC=88?=
 =?UTF-8?q?=E6=8A=A4=E6=A0=8F=EF=BC=89?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 ...PlanFormBackHiddenInputConditionalTest.php | 32 +++++++++++++++++++
 1 file changed, 32 insertions(+)
 create mode 100644 tests/Feature/AdminPlanFormBackHiddenInputConditionalTest.php

diff --git a/tests/Feature/AdminPlanFormBackHiddenInputConditionalTest.php b/tests/Feature/AdminPlanFormBackHiddenInputConditionalTest.php
new file mode 100644
index 0000000..718abba
--- /dev/null
+++ b/tests/Feature/AdminPlanFormBackHiddenInputConditionalTest.php
@@ -0,0 +1,32 @@
+<?php
+
+namespace Tests\Feature;
+
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Tests\TestCase;
+
+class AdminPlanFormBackHiddenInputConditionalTest extends TestCase
+{
+    use RefreshDatabase;
+
+    protected function loginAsPlatformAdmin(): void
+    {
+        $this->seed();
+
+        $this->post('/admin/login', [
+            'email' => 'platform.admin@demo.local',
+            'password' => 'Platform@123456',
+        ])->assertRedirect('/admin');
+    }
+
+    public function test_create_form_should_not_render_back_hidden_input_when_back_is_empty(): void
+    {
+        $this->loginAsPlatformAdmin();
+
+        $res = $this->get('/admin/plans/create?back=' . urlencode('https://evil.example.com/?x=1'));
+        $res->assertOk();
+
+        // PlanController 会将 unsafe back 清洗为空，因此页面不应渲染 back hidden input
+        $res->assertDontSee('name="back"', false);
+    }
+}