73 lines
2.3 KiB
PHP
73 lines
2.3 KiB
PHP
<?php
|
|
|
|
namespace Tests\Feature;
|
|
|
|
use Illuminate\Foundation\Testing\RefreshDatabase;
|
|
use Tests\TestCase;
|
|
|
|
class AdminPlatformOrderIndexUnsafeBackShouldBeDroppedForLinksTest extends TestCase
|
|
{
|
|
use RefreshDatabase;
|
|
|
|
protected function loginAsPlatformAdmin(): void
|
|
{
|
|
$this->seed();
|
|
|
|
$this->post('/admin/login', [
|
|
'email' => 'platform.admin@demo.local',
|
|
'password' => 'Platform@123456',
|
|
])->assertRedirect('/admin');
|
|
}
|
|
|
|
public static function invalidBackProvider(): array
|
|
{
|
|
return [
|
|
'contains_quote' => ['/admin/plans?x="'],
|
|
'contains_tag' => ['/admin/plans?<script>alert(1)</script>'],
|
|
'nested_back' => ['/admin/plans?back=/admin/platform-orders'],
|
|
];
|
|
}
|
|
|
|
#[\PHPUnit\Framework\Attributes\DataProvider('invalidBackProvider')]
|
|
public function test_index_should_drop_unsafe_back_for_safe_full_url_with_query_links(string $invalidBack): void
|
|
{
|
|
$this->loginAsPlatformAdmin();
|
|
|
|
$res = $this->get('/admin/platform-orders?back=' . urlencode($invalidBack));
|
|
$res->assertOk();
|
|
|
|
$html = (string) $res->getContent();
|
|
|
|
// unsafe back 时,不应渲染“返回上一页(保留上下文)”的可点击链接。
|
|
// 注意:页面的说明文字中可能包含该文案,因此这里用正则只匹配 <a> 标签。
|
|
$this->assertSame(
|
|
0,
|
|
preg_match('/<a[^>]+href="[^"]+"[^>]*>\s*← 返回上一页(保留上下文)\s*<\/a>/', $html),
|
|
'unsafe back 时不应渲染可点击的返回链接'
|
|
);
|
|
|
|
preg_match_all('/href="([^"]+)"/', $html, $matches);
|
|
$hrefs = $matches[1] ?? [];
|
|
|
|
$found = false;
|
|
foreach ($hrefs as $u) {
|
|
if (!str_contains($u, '/admin/platform-orders')) {
|
|
continue;
|
|
}
|
|
|
|
$parts = parse_url($u);
|
|
parse_str($parts['query'] ?? '', $q);
|
|
|
|
if (($q['payment_status'] ?? null) !== 'paid') {
|
|
continue;
|
|
}
|
|
|
|
$found = true;
|
|
$this->assertArrayNotHasKey('back', $q, 'unsafe back 不应出现在 fullUrlWithQuery 类链接中');
|
|
break;
|
|
}
|
|
|
|
$this->assertTrue($found, '未找到 payment_status=paid 的链接用于断言 back 是否被移除');
|
|
}
|
|
}
|