From f7250c485e17f109ad95b9f24ab8449882c325bf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E8=90=9D=E5=8D=9C?= <dev@saasshop.local>
Date: Fri, 20 Mar 2026 08:49:36 +0800
Subject: [PATCH] =?UTF-8?q?=E8=A1=A5=E9=BD=90=E5=A5=97=E9=A4=90=E8=AF=A6?=
 =?UTF-8?q?=E6=83=85=E9=A1=B5=E8=BF=94=E5=9B=9E=E9=93=BE=E6=8E=A5=E5=AE=89?=
 =?UTF-8?q?=E5=85=A8=E6=8A=A4=E6=A0=8F=E6=B5=8B=E8=AF=95?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 tests/Feature/AdminPlanShowTest.php | 61 +++++++++++++++++++++++++++++
 1 file changed, 61 insertions(+)

diff --git a/tests/Feature/AdminPlanShowTest.php b/tests/Feature/AdminPlanShowTest.php
index 7f950a6..3ca7dd0 100644
--- a/tests/Feature/AdminPlanShowTest.php
+++ b/tests/Feature/AdminPlanShowTest.php
@@ -179,4 +179,65 @@ class AdminPlanShowTest extends TestCase
         $res->assertSee($expectedShowUrl, false);
         $res->assertSee('查看详情');
     }
+
+    public function test_plan_show_should_drop_unsafe_back_and_not_render_return_to_previous_link(): void
+    {
+        $this->loginAsPlatformAdmin();
+
+        $plan = Plan::query()->create([
+            'code' => 'plan_show_unsafe_back_test',
+            'name' => '套餐详情 unsafe back 测试套餐',
+            'billing_cycle' => 'monthly',
+            'price' => 28,
+            'list_price' => 38,
+            'status' => 'active',
+            'sort' => 10,
+        ]);
+
+        $unsafeBack = '/admin/plans?status=active&back=/admin/platform-orders';
+
+        $res = $this->get('/admin/plans/' . $plan->id . '?back=' . urlencode($unsafeBack));
+        $res->assertOk();
+
+        $res->assertDontSee('返回上一页（保留上下文）');
+        $res->assertSee('/admin/plans', false);
+        $res->assertDontSee('back=' . $unsafeBack, false);
+    }
+
+    public function test_plan_show_should_render_safe_back_but_governance_links_should_still_use_plan_show_self_back(): void
+    {
+        $this->loginAsPlatformAdmin();
+
+        $plan = Plan::query()->create([
+            'code' => 'plan_show_safe_back_test',
+            'name' => '套餐详情 safe back 测试套餐',
+            'billing_cycle' => 'monthly',
+            'price' => 58,
+            'list_price' => 68,
+            'status' => 'active',
+            'sort' => 10,
+        ]);
+
+        $safeBack = '/admin/plans?' . Arr::query([
+            'status' => 'active',
+            'keyword' => '治理',
+        ]);
+
+        $res = $this->get('/admin/plans/' . $plan->id . '?back=' . urlencode($safeBack));
+        $res->assertOk();
+
+        $res->assertSee('href="' . $safeBack . '"', false);
+        $res->assertSee('返回上一页（保留上下文）');
+
+        $planShowSelf = '/admin/plans/' . $plan->id;
+        $expectedPaidNoReceiptUrl = '/admin/platform-orders?' . Arr::query([
+            'plan_id' => $plan->id,
+            'payment_status' => 'paid',
+            'receipt_status' => 'none',
+            'back' => $planShowSelf,
+        ]);
+
+        $res->assertSee($expectedPaidNoReceiptUrl, false);
+        $res->assertDontSee('back=' . $safeBack, false);
+    }
 }