From d916c6a4b31f0bf595b8bc128a8817f8fc17b4fb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E8=90=9D=E5=8D=9C?= Date: Sun, 15 Mar 2026 01:33:04 +0000 Subject: [PATCH] Test: add unit coverage for BackUrl::sanitizeForLinks --- tests/Unit/BackUrlSanitizeForLinksTest.php | 42 ++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 tests/Unit/BackUrlSanitizeForLinksTest.php diff --git a/tests/Unit/BackUrlSanitizeForLinksTest.php b/tests/Unit/BackUrlSanitizeForLinksTest.php new file mode 100644 index 0000000..92aa875 --- /dev/null +++ b/tests/Unit/BackUrlSanitizeForLinksTest.php @@ -0,0 +1,42 @@ +assertSame('/admin/platform-orders', BackUrl::sanitizeForLinks('/admin/platform-orders')); + } + + public function test_sanitize_for_links_should_reject_absolute_urls(): void + { + $this->assertSame('', BackUrl::sanitizeForLinks('https://evil.com/a')); + $this->assertSame('', BackUrl::sanitizeForLinks('http://evil.com/a')); + } + + public function test_sanitize_for_links_should_reject_quotes_and_angle_brackets(): void + { + $this->assertSame('', BackUrl::sanitizeForLinks('/admin/x?keyword="a"')); + $this->assertSame('', BackUrl::sanitizeForLinks("/admin/x?keyword='a'")); + $this->assertSame('', BackUrl::sanitizeForLinks('/admin/x?a=')); + $this->assertSame('', BackUrl::sanitizeForLinks('/admin/x?a=>')); + } + + public function test_sanitize_for_links_should_reject_nested_back_param(): void + { + $this->assertSame('', BackUrl::sanitizeForLinks('/admin/x?back=/admin/y')); + $this->assertSame('', BackUrl::sanitizeForLinks('/admin/x?a=1&back=/admin/y')); + $this->assertSame('', BackUrl::sanitizeForLinks('/admin/x?a=1&b=2&back=/admin/y')); + } + + public function test_sanitize_for_links_should_reject_paths_not_starting_with_slash(): void + { + $this->assertSame('', BackUrl::sanitizeForLinks('admin/platform-orders')); + $this->assertSame('', BackUrl::sanitizeForLinks('../admin/platform-orders')); + $this->assertSame('', BackUrl::sanitizeForLinks('javascript:alert(1)')); + } +}