diff --git a/resources/views/admin/plans/index.blade.php b/resources/views/admin/plans/index.blade.php
index 425e35d..fd46f79 100644
--- a/resources/views/admin/plans/index.blade.php
+++ b/resources/views/admin/plans/index.blade.php
@@ -78,7 +78,9 @@
 
         // “全部”：清空筛选，但保留 back（用于返回来源页）
         $incomingBack = (string) request()->query('back', '');
-        $safeBack2 = str_starts_with($incomingBack, '/') ? $incomingBack : '';
+        $safeBack2 = (str_starts_with($incomingBack, '/') && !preg_match('/["\'<>]/', $incomingBack))
+            ? $incomingBack
+            : '';
         $allUrl = '/admin/plans';
         if ($safeBack2 !== '') {
             $allUrl .= '?' . \Illuminate\Support\Arr::query(['back' => $safeBack2]);
diff --git a/resources/views/admin/platform_orders/index.blade.php b/resources/views/admin/platform_orders/index.blade.php
index 99d58d0..af85605 100644
--- a/resources/views/admin/platform_orders/index.blade.php
+++ b/resources/views/admin/platform_orders/index.blade.php
@@ -113,7 +113,9 @@
 
         // “全部”：清空筛选，但保留 back（用于返回来源页）
         $incomingBack = (string) request()->query('back', '');
-        $safeBack = str_starts_with($incomingBack, '/') ? $incomingBack : '';
+        $safeBack = (str_starts_with($incomingBack, '/') && !preg_match('/["\'<>]/', $incomingBack))
+            ? $incomingBack
+            : '';
         $allUrl = '/admin/platform-orders';
         if ($safeBack !== '') {
             $allUrl .= '?' . \Illuminate\Support\Arr::query(['back' => $safeBack]);
diff --git a/resources/views/admin/site_subscriptions/index.blade.php b/resources/views/admin/site_subscriptions/index.blade.php
index 1da57f5..fa412eb 100644
--- a/resources/views/admin/site_subscriptions/index.blade.php
+++ b/resources/views/admin/site_subscriptions/index.blade.php
@@ -88,7 +88,9 @@
 
         // “全部”：清空筛选，但保留 back（用于返回来源页）
         $incomingBack = (string) request()->query('back', '');
-        $safeBack = str_starts_with($incomingBack, '/') ? $incomingBack : '';
+        $safeBack = (str_starts_with($incomingBack, '/') && !preg_match('/["\'<>]/', $incomingBack))
+            ? $incomingBack
+            : '';
         $allUrl = '/admin/site-subscriptions';
         if ($safeBack !== '') {
             $allUrl .= '?' . \Illuminate\Support\Arr::query(['back' => $safeBack]);