saasshop/tests/Feature/AdminPlatformOrderIndexUnsafeBackShouldBeDroppedForLinksTest.php

<?php

namespace Tests\Feature;

use Illuminate\Foundation\Testing\RefreshDatabase;
use Tests\TestCase;

class AdminPlatformOrderIndexUnsafeBackShouldBeDroppedForLinksTest extends TestCase
{
    use RefreshDatabase;

    protected function loginAsPlatformAdmin(): void
    {
        $this->seed();

        $this->post('/admin/login', [
            'email' => 'platform.admin@demo.local',
            'password' => 'Platform@123456',
        ])->assertRedirect('/admin');
    }

    public static function invalidBackProvider(): array
    {
        return [
            'contains_quote' => ['/admin/plans?x="'],
            'contains_tag' => ['/admin/plans?<script>alert(1)</script>'],
            'nested_back' => ['/admin/plans?back=/admin/platform-orders'],
        ];
    }

    /**
     * @dataProvider invalidBackProvider
     */
    public function test_index_should_drop_unsafe_back_for_safe_full_url_with_query_links(string $invalidBack): void
    {
        $this->loginAsPlatformAdmin();

        $res = $this->get('/admin/platform-orders?back=' . urlencode($invalidBack));
        $res->assertOk();

        $html = (string) $res->getContent();

        // unsafe back 时，不应渲染“返回上一页（保留上下文）”的可点击链接。
        // 注意：页面的说明文字中可能包含该文案，因此这里用正则只匹配 <a> 标签。
        $this->assertSame(
            0,
            preg_match('/<a[^>]+href="[^"]+"[^>]*>\s*← 返回上一页（保留上下文）\s*<\/a>/', $html),
            'unsafe back 时不应渲染可点击的返回链接'
        );

        preg_match_all('/href="([^"]+)"/', $html, $matches);
        $hrefs = $matches[1] ?? [];

        $found = false;
        foreach ($hrefs as $u) {
            if (!str_contains($u, '/admin/platform-orders')) {
                continue;
            }

            $parts = parse_url($u);
            parse_str($parts['query'] ?? '', $q);

            if (($q['payment_status'] ?? null) !== 'paid') {
                continue;
            }

            $found = true;
            $this->assertArrayNotHasKey('back', $q, 'unsafe back 不应出现在 fullUrlWithQuery 类链接中');
            break;
        }

        $this->assertTrue($found, '未找到 payment_status=paid 的链接用于断言 back 是否被移除');
    }
}