mivita/tests/Feature/LocalizationMiddlewareTest.php

<?php

uses(Tests\TestCase::class);

it('does not throw when session locale is a malicious string', function () {
    $response = $this->withSession(['locale' => '-1 or 5*5=25 --'])
        ->get('/impressum');

    $response->assertSuccessful();
});

it('applies a valid session locale', function () {
    $response = $this->withSession(['locale' => 'en'])
        ->get('/impressum');

    $response->assertSuccessful();
    expect(app()->getLocale())->toBe('en');
});

it('clears invalid session locale', function () {
    $this->withSession(['locale' => '-1 or 5*5=25 --'])
        ->get('/impressum');

    expect(session('locale'))->toBeNull();
});