<?php

namespace Tests\Feature;

use Illuminate\Foundation\Testing\RefreshDatabase;
use Tests\TestCase;

class AdminPlatformOrderIndexBackLinkNotEscapedTest extends TestCase
{
    use RefreshDatabase;

    protected function loginAsPlatformAdmin(): void
    {
        $this->seed();

        $this->post('/admin/login', [
            'email' => 'platform.admin@demo.local',
            'password' => 'Platform@123456',
        ])->assertRedirect('/admin');
    }

    public function test_index_back_link_should_not_escape_ampersand(): void
    {
        $this->loginAsPlatformAdmin();

        $back = '/admin/site-subscriptions?status=activated&keyword=test';

        $this->get('/admin/platform-orders?back=' . urlencode($back))
            ->assertOk()
            ->assertSee('返回上一页（保留上下文）')
            // 关键护栏：必须是原样 &，不能被 escape 成 &amp;
            ->assertSee('href="' . $back . '"', false);
    }

    public function test_index_should_not_render_back_href_when_back_is_external_url(): void
    {
        $this->loginAsPlatformAdmin();

        $evil = 'https://evil.example.com/?x=1&y=2';

        $res = $this->get('/admin/platform-orders?back=' . urlencode($evil));
        $res->assertOk();

        // 页面可能在其它位置出现“返回上一页（保留上下文）”文案，因此不做纯文本否定断言。
        // 关键护栏：不应渲染任何指向外部 URL 的 back href。
        $res->assertDontSee('href="' . $evil . '"', false);
        $res->assertDontSee('href="' . str_replace('&', '&amp;', $evil) . '"', false);
    }
}