From ca5e8e63e4de4932c9e68d37502c8f08c5773190 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E8=90=9D=E5=8D=9C?= Date: Sat, 14 Mar 2026 01:21:21 +0000 Subject: [PATCH] =?UTF-8?q?test(back):=20index=20=E9=A1=B5=20back=20?= =?UTF-8?q?=E9=93=BE=E6=8E=A5=E4=B8=8D=E5=BA=94=20escape=20&=EF=BC=88?= =?UTF-8?q?=E6=8A=A4=E6=A0=8F=EF=BC=89?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../AdminPlanIndexBackLinkNotEscapedTest.php | 33 ++++++++++++++ ...atformOrderIndexBackLinkNotEscapedTest.php | 43 +++++++++++++++++++ ...ubscriptionIndexBackLinkNotEscapedTest.php | 33 ++++++++++++++ 3 files changed, 109 insertions(+) create mode 100644 tests/Feature/AdminPlanIndexBackLinkNotEscapedTest.php create mode 100644 tests/Feature/AdminPlatformOrderIndexBackLinkNotEscapedTest.php create mode 100644 tests/Feature/AdminSiteSubscriptionIndexBackLinkNotEscapedTest.php diff --git a/tests/Feature/AdminPlanIndexBackLinkNotEscapedTest.php b/tests/Feature/AdminPlanIndexBackLinkNotEscapedTest.php new file mode 100644 index 0000000..3322314 --- /dev/null +++ b/tests/Feature/AdminPlanIndexBackLinkNotEscapedTest.php @@ -0,0 +1,33 @@ +seed(); + + $this->post('/admin/login', [ + 'email' => 'platform.admin@demo.local', + 'password' => 'Platform@123456', + ])->assertRedirect('/admin'); + } + + public function test_index_back_link_should_not_escape_ampersand(): void + { + $this->loginAsPlatformAdmin(); + + $back = '/admin/site-subscriptions?status=activated&keyword=test'; + + $this->get('/admin/plans?back=' . urlencode($back)) + ->assertOk() + ->assertSee('返回上一页(保留上下文)') + ->assertSee('href="' . $back . '"', false); + } +} diff --git a/tests/Feature/AdminPlatformOrderIndexBackLinkNotEscapedTest.php b/tests/Feature/AdminPlatformOrderIndexBackLinkNotEscapedTest.php new file mode 100644 index 0000000..566dee6 --- /dev/null +++ b/tests/Feature/AdminPlatformOrderIndexBackLinkNotEscapedTest.php @@ -0,0 +1,43 @@ +seed(); + + $this->post('/admin/login', [ + 'email' => 'platform.admin@demo.local', + 'password' => 'Platform@123456', + ])->assertRedirect('/admin'); + } + + public function test_index_back_link_should_not_escape_ampersand(): void + { + $this->loginAsPlatformAdmin(); + + $back = '/admin/site-subscriptions?status=activated&keyword=test'; + + $this->get('/admin/platform-orders?back=' . urlencode($back)) + ->assertOk() + ->assertSee('返回上一页(保留上下文)') + // 关键护栏:必须是原样 &,不能被 escape 成 & + ->assertSee('href="' . $back . '"', false); + } + + public function test_index_should_not_show_back_link_when_back_is_external_url(): void + { + $this->loginAsPlatformAdmin(); + + $this->get('/admin/platform-orders?back=' . urlencode('https://evil.example.com/?x=1&y=2')) + ->assertOk() + ->assertDontSee('返回上一页(保留上下文)'); + } +} diff --git a/tests/Feature/AdminSiteSubscriptionIndexBackLinkNotEscapedTest.php b/tests/Feature/AdminSiteSubscriptionIndexBackLinkNotEscapedTest.php new file mode 100644 index 0000000..abfbd9b --- /dev/null +++ b/tests/Feature/AdminSiteSubscriptionIndexBackLinkNotEscapedTest.php @@ -0,0 +1,33 @@ +seed(); + + $this->post('/admin/login', [ + 'email' => 'platform.admin@demo.local', + 'password' => 'Platform@123456', + ])->assertRedirect('/admin'); + } + + public function test_index_back_link_should_not_escape_ampersand(): void + { + $this->loginAsPlatformAdmin(); + + $back = '/admin/platform-orders?status=pending&keyword=test'; + + $this->get('/admin/site-subscriptions?back=' . urlencode($back)) + ->assertOk() + ->assertSee('返回上一页(保留上下文)') + ->assertSee('href="' . $back . '"', false); + } +}