diff --git a/resources/views/admin/plans/index.blade.php b/resources/views/admin/plans/index.blade.php
index 37ec3a8..790fe2c 100644
--- a/resources/views/admin/plans/index.blade.php
+++ b/resources/views/admin/plans/index.blade.php
@@ -29,6 +29,16 @@
这里是总台视角的套餐目录页,用于沉淀平台可售卖的标准能力包。
当前阶段先完成套餐主数据可见、可筛与口径收拢,后续再接授权项、售价规则与上下架动作。
+
+ @php
+ $incomingBack = (string) request()->query('back', '');
+ $safeBack = str_starts_with($incomingBack, '/') ? $incomingBack : '';
+ @endphp
+ @if($safeBack)
+
+ @endif
diff --git a/tests/Feature/AdminPlanIndexBackLinkTest.php b/tests/Feature/AdminPlanIndexBackLinkTest.php
new file mode 100644
index 0000000..9fbd5bc
--- /dev/null
+++ b/tests/Feature/AdminPlanIndexBackLinkTest.php
@@ -0,0 +1,40 @@
+seed();
+
+ $this->post('/admin/login', [
+ 'email' => 'platform.admin@demo.local',
+ 'password' => 'Platform@123456',
+ ])->assertRedirect('/admin');
+ }
+
+ public function test_index_should_show_safe_back_link_when_back_is_relative_path(): void
+ {
+ $this->loginAsPlatformAdmin();
+
+ $this->get('/admin/plans?status=active&back=' . urlencode('/admin/site-subscriptions?status=activated'))
+ ->assertOk()
+ ->assertSee('返回上一页(保留上下文)')
+ ->assertSee('href="/admin/site-subscriptions?status=activated"', false);
+ }
+
+ public function test_index_should_not_show_back_link_when_back_is_external_url(): void
+ {
+ $this->loginAsPlatformAdmin();
+
+ $this->get('/admin/plans?back=' . urlencode('https://evil.example.com/'))
+ ->assertOk()
+ ->assertDontSee('返回上一页(保留上下文)');
+ }
+}