diff --git a/app/Support/BackUrl.php b/app/Support/BackUrl.php
index 5e92a3e..0b76f1f 100644
--- a/app/Support/BackUrl.php
+++ b/app/Support/BackUrl.php
@@ -26,6 +26,14 @@ class BackUrl
             return '';
         }
 
+        // 拒绝控制字符/CRLF 注入（包括明文与常见 URL 编码形式）
+        if (preg_match('/[\r\n\t]/', $incomingBack)) {
+            return '';
+        }
+        if (preg_match('/%0d|%0a|%09/i', $incomingBack)) {
+            return '';
+        }
+
         // 拒绝 back 自身再包含 back=（避免无限嵌套导致 URL 膨胀，且容易绕过页面侧护栏）
         // 同时拒绝“二次编码”的 back%3D（例如 %2526back%253D 经过一次 urldecode 后变成 %26back%3D，
         // 在浏览器点击后会再次被解码为 &back=，形成绕过）。
diff --git a/tests/Unit/BackUrlSanitizeForLinksTest.php b/tests/Unit/BackUrlSanitizeForLinksTest.php
index df6c182..f35cf2b 100644
--- a/tests/Unit/BackUrlSanitizeForLinksTest.php
+++ b/tests/Unit/BackUrlSanitizeForLinksTest.php
@@ -24,6 +24,10 @@ class BackUrlSanitizeForLinksTest extends TestCase
         $this->assertSame('', BackUrl::sanitizeForLinks("/admin/x?keyword='a'"));
         $this->assertSame('', BackUrl::sanitizeForLinks('/admin/x?a=<b>'));
         $this->assertSame('', BackUrl::sanitizeForLinks('/admin/x?a=>'));
+
+        // 控制字符/CRLF 注入
+        $this->assertSame('', BackUrl::sanitizeForLinks("/admin/x?x=1\nSet-Cookie:evil=1"));
+        $this->assertSame('', BackUrl::sanitizeForLinks('/admin/x?x=1%0aSet-Cookie:evil=1'));
     }
 
     public function test_sanitize_for_links_should_reject_nested_back_param(): void