seed(); $this->post('/admin/login', [ 'email' => 'platform.admin@demo.local', 'password' => 'Platform@123456', ])->assertRedirect('/admin'); } public static function invalidBackProvider(): array { return [ 'contains_quote' => ['/admin/plans?x="'], 'contains_tag' => ['/admin/plans?'], 'nested_back' => ['/admin/plans?back=/admin/platform-orders'], ]; } #[\PHPUnit\Framework\Attributes\DataProvider('invalidBackProvider')] public function test_index_should_drop_unsafe_back_for_safe_full_url_with_query_links(string $invalidBack): void { $this->loginAsPlatformAdmin(); $res = $this->get('/admin/platform-orders?back=' . urlencode($invalidBack)); $res->assertOk(); $html = (string) $res->getContent(); // unsafe back 时，不应渲染“返回上一页（保留上下文）”的可点击链接。 // 注意：页面的说明文字中可能包含该文案，因此这里用正则只匹配 标签。 $this->assertSame( 0, preg_match('/]+href="[^"]+"[^>]*>\s*← 返回上一页（保留上下文）\s*<\/a>/', $html), 'unsafe back 时不应渲染可点击的返回链接' ); preg_match_all('/href="([^"]+)"/', $html, $matches); $hrefs = $matches[1] ?? []; $found = false; foreach ($hrefs as $u) { if (!str_contains($u, '/admin/platform-orders')) { continue; } $parts = parse_url($u); parse_str($parts['query'] ?? '', $q); if (($q['payment_status'] ?? null) !== 'paid') { continue; } $found = true; $this->assertArrayNotHasKey('back', $q, 'unsafe back 不应出现在 fullUrlWithQuery 类链接中'); break; } $this->assertTrue($found, '未找到 payment_status=paid 的链接用于断言 back 是否被移除'); } }