diff --git a/resources/views/admin/plans/form.blade.php b/resources/views/admin/plans/form.blade.php
index e407d05..deba24f 100644
--- a/resources/views/admin/plans/form.blade.php
+++ b/resources/views/admin/plans/form.blade.php
@@ -13,17 +13,19 @@
     @csrf
 
     @php
-        $back = (string) ($back ?? '');
-        // back 作为隐藏字段用于 store 后跳转回来源页：同样需要安全护栏
-        $safeBack = (str_starts_with($back, '/')
-            && !preg_match('/["\'<>]/', $back)
-            // back 本身不应再包含 back（避免无限嵌套导致 URL 膨胀）
-            && !preg_match('/(?:^|[?&])back=/', $back))
-            ? $back
+        $incomingBack = (string) ($back ?? '');
+        // back 安全护栏（全页通用）：
+        // - 仅允许站内相对路径（/ 开头）
+        // - 拒绝引号/尖括号
+        // - 拒绝 nested back=（避免 URL 膨胀/绕过）
+        $safeBackForLinks = (str_starts_with($incomingBack, '/')
+            && !preg_match('/["\'<>]/', $incomingBack)
+            && !preg_match('/(?:^|[?&])back=/', $incomingBack))
+            ? $incomingBack
             : '';
     @endphp
-    @if($safeBack !== '')
-        <input type="hidden" name="back" value="{{ $safeBack }}">
+    @if($safeBackForLinks !== '')
+        <input type="hidden" name="back" value="{{ $safeBackForLinks }}">
     @endif
 
     <label>
@@ -81,8 +83,7 @@
     </label>
 
     @php
-        $back = (string) ($back ?? '');
-        $backUrl = $back !== '' ? $back : '/admin/plans';
+        $backUrl = $safeBackForLinks !== '' ? $safeBackForLinks : '/admin/plans';
     @endphp
     <div class="form-actions actions gap-10">
         {{-- back 可能包含 query（含 &），此处需原样输出，避免 Blade escape 成 &amp; 导致回退上下文丢失。--}}