seed(); $this->post('/admin/login', [ 'email' => 'platform.admin@demo.local', 'password' => 'Platform@123456', ])->assertRedirect('/admin'); } public function test_create_should_not_echo_back_hidden_input_when_back_contains_quotes_or_brackets(): void { $this->loginAsPlatformAdmin(); $unsafeBack = '/admin/site-subscriptions?keyword="x"&a='; $res = $this->get('/admin/platform-orders/create?back=' . urlencode($unsafeBack)); $res->assertOk(); // back 被清洗为空：不应回显 hidden back input，也不应出现 unsafeBack $res->assertDontSee('name="back"', false); $res->assertDontSee($unsafeBack, false); // 返回按钮应回退到默认列表 $res->assertSee('href="/admin/platform-orders"', false); } public function test_create_should_not_echo_back_when_back_contains_nested_back_param(): void { $this->loginAsPlatformAdmin(); $nestedBack = '/admin/site-subscriptions?status=activated&back=/admin/platform-orders'; $res = $this->get('/admin/platform-orders/create?back=' . urlencode($nestedBack)); $res->assertOk(); $res->assertDontSee('name="back"', false); $res->assertDontSee($nestedBack, false); $res->assertSee('href="/admin/platform-orders"', false); } }