diff --git a/app/Support/BackUrl.php b/app/Support/BackUrl.php
index 0b76f1f..21b6547 100644
--- a/app/Support/BackUrl.php
+++ b/app/Support/BackUrl.php
@@ -22,6 +22,11 @@ class BackUrl
             return '';
         }
 
+        // 拒绝协议相对 URL（例如 //evil.com），避免 open redirect
+        if (str_starts_with($incomingBack, '//')) {
+            return '';
+        }
+
         if (preg_match('/["\'<>]/', $incomingBack)) {
             return '';
         }
diff --git a/tests/Unit/BackUrlSanitizeForLinksTest.php b/tests/Unit/BackUrlSanitizeForLinksTest.php
index f35cf2b..a8a70b4 100644
--- a/tests/Unit/BackUrlSanitizeForLinksTest.php
+++ b/tests/Unit/BackUrlSanitizeForLinksTest.php
@@ -16,6 +16,9 @@ class BackUrlSanitizeForLinksTest extends TestCase
     {
         $this->assertSame('', BackUrl::sanitizeForLinks('https://evil.com/a'));
         $this->assertSame('', BackUrl::sanitizeForLinks('http://evil.com/a'));
+
+        // 协议相对 URL
+        $this->assertSame('', BackUrl::sanitizeForLinks('//evil.com/a'));
     }
 
     public function test_sanitize_for_links_should_reject_quotes_and_angle_brackets(): void