diff --git a/resources/views/admin/plans/form.blade.php b/resources/views/admin/plans/form.blade.php
index 8e7cfc9..e407d05 100644
--- a/resources/views/admin/plans/form.blade.php
+++ b/resources/views/admin/plans/form.blade.php
@@ -12,9 +12,18 @@
 <form method="post" action="{{ $formAction }}" class="card form-grid">
     @csrf
 
-    @php $back = (string) ($back ?? ''); @endphp
-    @if($back !== '')
-        <input type="hidden" name="back" value="{{ $back }}">
+    @php
+        $back = (string) ($back ?? '');
+        // back 作为隐藏字段用于 store 后跳转回来源页：同样需要安全护栏
+        $safeBack = (str_starts_with($back, '/')
+            && !preg_match('/["\'<>]/', $back)
+            // back 本身不应再包含 back（避免无限嵌套导致 URL 膨胀）
+            && !preg_match('/(?:^|[?&])back=/', $back))
+            ? $back
+            : '';
+    @endphp
+    @if($safeBack !== '')
+        <input type="hidden" name="back" value="{{ $safeBack }}">
     @endif
 
     <label>