Test: add unit coverage for BackUrl::sanitizeForLinks

tests/Unit/BackUrlSanitizeForLinksTest.php

@@ -0,0 +1,42 @@
+<?php
+
+namespace Tests\Unit;
+
+use App\Support\BackUrl;
+use PHPUnit\Framework\TestCase;
+
+class BackUrlSanitizeForLinksTest extends TestCase
+{
+    public function test_sanitize_for_links_should_accept_simple_relative_path(): void
+    {
+        $this->assertSame('/admin/platform-orders', BackUrl::sanitizeForLinks('/admin/platform-orders'));
+    }
+
+    public function test_sanitize_for_links_should_reject_absolute_urls(): void
+    {
+        $this->assertSame('', BackUrl::sanitizeForLinks('https://evil.com/a'));
+        $this->assertSame('', BackUrl::sanitizeForLinks('http://evil.com/a'));
+    }
+
+    public function test_sanitize_for_links_should_reject_quotes_and_angle_brackets(): void
+    {
+        $this->assertSame('', BackUrl::sanitizeForLinks('/admin/x?keyword="a"'));
+        $this->assertSame('', BackUrl::sanitizeForLinks("/admin/x?keyword='a'"));
+        $this->assertSame('', BackUrl::sanitizeForLinks('/admin/x?a=<b>'));
+        $this->assertSame('', BackUrl::sanitizeForLinks('/admin/x?a=>'));
+    }
+
+    public function test_sanitize_for_links_should_reject_nested_back_param(): void
+    {
+        $this->assertSame('', BackUrl::sanitizeForLinks('/admin/x?back=/admin/y'));
+        $this->assertSame('', BackUrl::sanitizeForLinks('/admin/x?a=1&back=/admin/y'));
+        $this->assertSame('', BackUrl::sanitizeForLinks('/admin/x?a=1&b=2&back=/admin/y'));
+    }
+
+    public function test_sanitize_for_links_should_reject_paths_not_starting_with_slash(): void
+    {
+        $this->assertSame('', BackUrl::sanitizeForLinks('admin/platform-orders'));
+        $this->assertSame('', BackUrl::sanitizeForLinks('../admin/platform-orders'));
+        $this->assertSame('', BackUrl::sanitizeForLinks('javascript:alert(1)'));
+    }
+}