diff --git a/tests/Feature/AdminPlanControllerBackValidationTest.php b/tests/Feature/AdminPlanControllerBackValidationTest.php
new file mode 100644
index 0000000..c5d68ca
--- /dev/null
+++ b/tests/Feature/AdminPlanControllerBackValidationTest.php
@@ -0,0 +1,58 @@
+<?php
+
+namespace Tests\Feature;
+
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Tests\TestCase;
+
+class AdminPlanControllerBackValidationTest extends TestCase
+{
+    use RefreshDatabase;
+
+    protected function loginAsPlatformAdmin(): void
+    {
+        $this->seed();
+
+        $this->post('/admin/login', [
+            'email' => 'platform.admin@demo.local',
+            'password' => 'Platform@123456',
+        ])->assertRedirect('/admin');
+    }
+
+    public function test_create_should_not_echo_back_when_back_contains_quotes_or_brackets(): void
+    {
+        $this->loginAsPlatformAdmin();
+
+        $unsafeBack = '/admin/platform-orders?keyword="x"&a=<b>';
+
+        $res = $this->get('/admin/plans/create?back=' . urlencode($unsafeBack));
+        $res->assertOk();
+
+        // form hidden input 不应出现 unsafe back
+        $res->assertDontSee('name="back"', false);
+        $res->assertDontSee($unsafeBack, false);
+    }
+
+    public function test_store_should_ignore_unsafe_back_and_redirect_to_index(): void
+    {
+        $this->loginAsPlatformAdmin();
+
+        $unsafeBack = '/admin/platform-orders?keyword="x"&a=<b>';
+
+        $res = $this->post('/admin/plans', [
+            'code' => 'plan_back_unsafe_01',
+            'name' => 'plan back unsafe',
+            'billing_cycle' => 'monthly',
+            'price' => 10,
+            'list_price' => 10,
+            'status' => 'active',
+            'sort' => 10,
+            'description' => '',
+            'published_at' => now()->toDateTimeString(),
+            'back' => $unsafeBack,
+        ]);
+
+        // unsafe back 应被忽略，回到列表页
+        $res->assertRedirect('/admin/plans');
+    }
+}