From ddf5c42d794737afc9ad9350b7a01f0a2880407b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E8=90=9D=E5=8D=9C?= <dev@saasshop.local>
Date: Wed, 18 Mar 2026 14:27:02 +0800
Subject: [PATCH] =?UTF-8?q?=E6=B5=8B=E8=AF=95:=20BackUrl=20sanitizeForLink?=
 =?UTF-8?q?s=20=E5=AE=89=E5=85=A8=E6=8A=A4=E6=A0=8F?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 ...tizeForLinksShouldRejectUnsafeBackTest.php | 49 +++++++++++++++++++
 1 file changed, 49 insertions(+)
 create mode 100644 tests/Feature/BackUrlSanitizeForLinksShouldRejectUnsafeBackTest.php

diff --git a/tests/Feature/BackUrlSanitizeForLinksShouldRejectUnsafeBackTest.php b/tests/Feature/BackUrlSanitizeForLinksShouldRejectUnsafeBackTest.php
new file mode 100644
index 0000000..4c336ed
--- /dev/null
+++ b/tests/Feature/BackUrlSanitizeForLinksShouldRejectUnsafeBackTest.php
@@ -0,0 +1,49 @@
+<?php
+
+namespace Tests\Feature;
+
+use App\Support\BackUrl;
+use PHPUnit\Framework\Attributes\DataProvider;
+use Tests\TestCase;
+
+class BackUrlSanitizeForLinksShouldRejectUnsafeBackTest extends TestCase
+{
+    public static function unsafeBackProvider(): array
+    {
+        return [
+            'empty' => ['', ''],
+            'no_slash_prefix' => ['admin', ''],
+            'protocol_relative' => ['//evil.com/x', ''],
+            'absolute_url' => ['https://evil.com/x', ''],
+            'quote_injection' => ['/admin?x=" onclick="alert(1)', ''],
+            'angle_injection' => ['/admin?<script>', ''],
+            'crlf_plain' => ["/admin\nSet-Cookie: x=1", ''],
+            'crlf_encoded' => ['/admin?x=%0aSet-Cookie%3A1', ''],
+            'nested_back_query' => ['/admin?back=/admin', ''],
+            'nested_back_encoded' => ['/admin?x=1%26back%3D%2Fadmin', ''],
+            'nested_back_double_encoded' => ['/admin?x=1%2526back%253D%252Fadmin', ''],
+            'too_long' => ['/' . str_repeat('a', 2100), ''],
+        ];
+    }
+
+    public static function safeBackProvider(): array
+    {
+        return [
+            'simple' => ['/admin', '/admin'],
+            'with_query' => ['/admin/platform-orders?sync_status=failed', '/admin/platform-orders?sync_status=failed'],
+            'with_fragment' => ['/admin/platform-orders#payment-receipts', '/admin/platform-orders#payment-receipts'],
+        ];
+    }
+
+    #[DataProvider('unsafeBackProvider')]
+    public function test_sanitize_for_links_should_reject_unsafe_back(string $incoming, string $expected): void
+    {
+        $this->assertSame($expected, BackUrl::sanitizeForLinks($incoming));
+    }
+
+    #[DataProvider('safeBackProvider')]
+    public function test_sanitize_for_links_should_keep_safe_back(string $incoming, string $expected): void
+    {
+        $this->assertSame($expected, BackUrl::sanitizeForLinks($incoming));
+    }
+}