diff --git a/app/Http/Controllers/Admin/PlatformOrderController.php b/app/Http/Controllers/Admin/PlatformOrderController.php
index a218364..68c0a1c 100644
--- a/app/Http/Controllers/Admin/PlatformOrderController.php
+++ b/app/Http/Controllers/Admin/PlatformOrderController.php
@@ -126,7 +126,8 @@ class PlatformOrderController extends Controller
         ]);
 
         $back = (string) ($data['back'] ?? '');
-        $safeBack = str_starts_with($back, '/') ? $back : '';
+        // back 需为站内相对路径，并拒绝引号/尖括号，避免在后续页面以 `{!! !!}` 原样输出时引入 XSS 风险。
+        $safeBack = (str_starts_with($back, '/') && !preg_match('/["\'<>]/', $back)) ? $back : '';
 
         $redirectUrl = '/admin/platform-orders/' . $order->id;
         if ($safeBack !== '') {