fix(admin platform orders create): sanitize back hidden input

resources/views/admin/platform_orders/form.blade.php

@@ -63,9 +63,16 @@
 
     @php
         $backVal = (string) old('back', $defaults['back'] ?? '');
+        // back 作为隐藏字段用于 store 后跳转回来源页：同样需要安全护栏
+        $backValSafe = (str_starts_with($backVal, '/')
+            && !preg_match('/["\'<>]/', $backVal)
+            // back 本身不应再包含 back（避免无限嵌套导致 URL 膨胀）
+            && !preg_match('/(?:^|[?&])back=/', $backVal))
+            ? $backVal
+            : '';
     @endphp
-    @if($backVal !== '')
+    @if($backValSafe !== '')
-        <input type="hidden" name="back" value="{{ $backVal }}">
+        <input type="hidden" name="back" value="{{ $backValSafe }}">
     @endif
 
     <label>