diff --git a/app/Http/Controllers/Admin/PlatformOrderController.php b/app/Http/Controllers/Admin/PlatformOrderController.php
index 68c0a1c..4e11942 100644
--- a/app/Http/Controllers/Admin/PlatformOrderController.php
+++ b/app/Http/Controllers/Admin/PlatformOrderController.php
@@ -42,6 +42,13 @@ class PlatformOrderController extends Controller
             'back' => (string) $request->query('back', ''),
         ];
 
+        // back 安全阀：必须为站内相对路径，并拒绝引号/尖括号。
+        // 说明：form 页会把 defaults.back 透传到 hidden input 与返回按钮；因此这里提前清洗，避免 unsafe back 在页面中出现。
+        $incomingBack = (string) ($defaults['back'] ?? '');
+        $defaults['back'] = (str_starts_with($incomingBack, '/') && !preg_match('/["\'<>]/', $incomingBack))
+            ? $incomingBack
+            : '';
+
         $siteSubscription = null;
         $siteSubscriptionId = (int) ($defaults['site_subscription_id'] ?? 0);
         if ($siteSubscriptionId > 0) {
diff --git a/resources/views/admin/platform_orders/form.blade.php b/resources/views/admin/platform_orders/form.blade.php
index 636ccbb..c97b8a6 100644
--- a/resources/views/admin/platform_orders/form.blade.php
+++ b/resources/views/admin/platform_orders/form.blade.php
@@ -29,7 +29,13 @@
     @csrf
 
     <input type="hidden" name="site_subscription_id" value="{{ old('site_subscription_id', $defaults['site_subscription_id'] ?? '') }}">
-    <input type="hidden" name="back" value="{{ old('back', $defaults['back'] ?? '') }}">
+
+    @php
+        $backVal = (string) old('back', $defaults['back'] ?? '');
+    @endphp
+    @if($backVal !== '')
+        <input type="hidden" name="back" value="{{ $backVal }}">
+    @endif
 
     <label>
         <span>站点</span>
diff --git a/tests/Feature/AdminPlatformOrderCreateBackValidationTest.php b/tests/Feature/AdminPlatformOrderCreateBackValidationTest.php
new file mode 100644
index 0000000..c331288
--- /dev/null
+++ b/tests/Feature/AdminPlatformOrderCreateBackValidationTest.php
@@ -0,0 +1,38 @@
+<?php
+
+namespace Tests\Feature;
+
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Tests\TestCase;
+
+class AdminPlatformOrderCreateBackValidationTest extends TestCase
+{
+    use RefreshDatabase;
+
+    protected function loginAsPlatformAdmin(): void
+    {
+        $this->seed();
+
+        $this->post('/admin/login', [
+            'email' => 'platform.admin@demo.local',
+            'password' => 'Platform@123456',
+        ])->assertRedirect('/admin');
+    }
+
+    public function test_create_should_not_echo_back_hidden_input_when_back_contains_quotes_or_brackets(): void
+    {
+        $this->loginAsPlatformAdmin();
+
+        $unsafeBack = '/admin/site-subscriptions?keyword="x"&a=<b>';
+
+        $res = $this->get('/admin/platform-orders/create?back=' . urlencode($unsafeBack));
+        $res->assertOk();
+
+        // back 被清洗为空：不应回显 hidden back input，也不应出现 unsafeBack
+        $res->assertDontSee('name="back"', false);
+        $res->assertDontSee($unsafeBack, false);
+
+        // 返回按钮应回退到默认列表
+        $res->assertSee('href="/admin/platform-orders"', false);
+    }
+}