50 lines
1.6 KiB
PHP
50 lines
1.6 KiB
PHP
<?php
|
|
|
|
namespace Tests\Feature;
|
|
|
|
use Illuminate\Foundation\Testing\RefreshDatabase;
|
|
use Tests\TestCase;
|
|
|
|
class AdminPlatformOrderIndexBackLinkNotEscapedTest extends TestCase
|
|
{
|
|
use RefreshDatabase;
|
|
|
|
protected function loginAsPlatformAdmin(): void
|
|
{
|
|
$this->seed();
|
|
|
|
$this->post('/admin/login', [
|
|
'email' => 'platform.admin@demo.local',
|
|
'password' => 'Platform@123456',
|
|
])->assertRedirect('/admin');
|
|
}
|
|
|
|
public function test_index_back_link_should_not_escape_ampersand(): void
|
|
{
|
|
$this->loginAsPlatformAdmin();
|
|
|
|
$back = '/admin/site-subscriptions?status=activated&keyword=test';
|
|
|
|
$this->get('/admin/platform-orders?back=' . urlencode($back))
|
|
->assertOk()
|
|
->assertSee('返回上一页(保留上下文)')
|
|
// 关键护栏:必须是原样 &,不能被 escape 成 &
|
|
->assertSee('href="' . $back . '"', false);
|
|
}
|
|
|
|
public function test_index_should_not_render_back_href_when_back_is_external_url(): void
|
|
{
|
|
$this->loginAsPlatformAdmin();
|
|
|
|
$evil = 'https://evil.example.com/?x=1&y=2';
|
|
|
|
$res = $this->get('/admin/platform-orders?back=' . urlencode($evil));
|
|
$res->assertOk();
|
|
|
|
// 页面可能在其它位置出现“返回上一页(保留上下文)”文案,因此不做纯文本否定断言。
|
|
// 关键护栏:不应渲染任何指向外部 URL 的 back href。
|
|
$res->assertDontSee('href="' . $evil . '"', false);
|
|
$res->assertDontSee('href="' . str_replace('&', '&', $evil) . '"', false);
|
|
}
|
|
}
|