diff --git a/resources/views/admin/site_subscriptions/index.blade.php b/resources/views/admin/site_subscriptions/index.blade.php
index ed63023..a5cb96c 100644
--- a/resources/views/admin/site_subscriptions/index.blade.php
+++ b/resources/views/admin/site_subscriptions/index.blade.php
@@ -37,6 +37,16 @@
这里是总台视角的订阅目录页,承接“套餐 -> 订阅 -> 平台订单”的收费主链中间层。
当前阶段先做到:可访问列表、可筛选、统计摘要;后续再接:订阅激活服务 / 续费 / 取消 / 对账。
+
+ @php
+ $incomingBack = (string) request()->query('back', '');
+ $safeBack = str_starts_with($incomingBack, '/') ? $incomingBack : '';
+ @endphp
+ @if($safeBack)
+
+ @endif
diff --git a/tests/Feature/AdminSiteSubscriptionIndexBackLinkTest.php b/tests/Feature/AdminSiteSubscriptionIndexBackLinkTest.php
new file mode 100644
index 0000000..868b9c1
--- /dev/null
+++ b/tests/Feature/AdminSiteSubscriptionIndexBackLinkTest.php
@@ -0,0 +1,40 @@
+seed();
+
+ $this->post('/admin/login', [
+ 'email' => 'platform.admin@demo.local',
+ 'password' => 'Platform@123456',
+ ])->assertRedirect('/admin');
+ }
+
+ public function test_index_should_show_safe_back_link_when_back_is_relative_path(): void
+ {
+ $this->loginAsPlatformAdmin();
+
+ $this->get('/admin/site-subscriptions?status=activated&back=' . urlencode('/admin/platform-orders?status=pending'))
+ ->assertOk()
+ ->assertSee('返回上一页(保留上下文)')
+ ->assertSee('href="/admin/platform-orders?status=pending"', false);
+ }
+
+ public function test_index_should_not_show_back_link_when_back_is_external_url(): void
+ {
+ $this->loginAsPlatformAdmin();
+
+ $this->get('/admin/site-subscriptions?back=' . urlencode('https://evil.example.com/'))
+ ->assertOk()
+ ->assertDontSee('返回上一页(保留上下文)');
+ }
+}