46 lines
1.5 KiB
PHP
46 lines
1.5 KiB
PHP
<?php
|
||
|
||
namespace Tests\Feature;
|
||
|
||
use Illuminate\Foundation\Testing\RefreshDatabase;
|
||
use Tests\TestCase;
|
||
|
||
class AdminPlatformOrderIndexBackLinkNotEscapedTest extends TestCase
|
||
{
|
||
use RefreshDatabase;
|
||
|
||
protected function loginAsPlatformAdmin(): void
|
||
{
|
||
$this->seed();
|
||
|
||
$this->post('/admin/login', [
|
||
'email' => 'platform.admin@demo.local',
|
||
'password' => 'Platform@123456',
|
||
])->assertRedirect('/admin');
|
||
}
|
||
|
||
public function test_index_back_link_should_not_escape_ampersand(): void
|
||
{
|
||
$this->loginAsPlatformAdmin();
|
||
|
||
$back = '/admin/site-subscriptions?status=activated&keyword=test';
|
||
|
||
$this->get('/admin/platform-orders?back=' . urlencode($back))
|
||
->assertOk()
|
||
->assertSee('返回上一页(保留上下文)')
|
||
// 关键护栏:必须是原样 &,不能被 escape 成 &
|
||
->assertSee('href="' . $back . '"', false);
|
||
}
|
||
|
||
public function test_index_should_not_show_back_link_when_back_is_external_url(): void
|
||
{
|
||
$this->loginAsPlatformAdmin();
|
||
|
||
$this->get('/admin/platform-orders?back=' . urlencode('https://evil.example.com/?x=1&y=2'))
|
||
->assertOk()
|
||
// 页面仍会出现“返回上一页(保留上下文)”文案(其它位置也有,例如治理SOP卡提示),
|
||
// 因此这里改为断言:不应出现该 external back 的 href。
|
||
->assertDontSee('href="https://evil.example.com/?x=1&y=2"', false);
|
||
}
|
||
}
|