BackUrl::sanitizeForLinks 加强：拒绝二次编码 back%3D 绕过 并补单测

tests/Unit/BackUrlSanitizeForLinksTest.php

@@ -31,6 +31,10 @@ class BackUrlSanitizeForLinksTest extends TestCase
         $this->assertSame('', BackUrl::sanitizeForLinks('/admin/x?back=/admin/y'));
         $this->assertSame('', BackUrl::sanitizeForLinks('/admin/x?a=1&back=/admin/y'));
         $this->assertSame('', BackUrl::sanitizeForLinks('/admin/x?a=1&b=2&back=/admin/y'));
+
+        // 二次编码绕过：%26back%3D 在浏览器/中间层解码后会变回 &back=，因此也应拒绝
+        $this->assertSame('', BackUrl::sanitizeForLinks('/admin/x?a=1%26back%3D/admin/y'));
+        $this->assertSame('', BackUrl::sanitizeForLinks('/admin/x?a=1%2526back%253D/admin/y'));
     }
 
     public function test_sanitize_for_links_should_reject_paths_not_starting_with_slash(): void