diff --git a/app/blueprints/activities.py b/app/blueprints/activities.py
index 9421def..884ee93 100644
--- a/app/blueprints/activities.py
+++ b/app/blueprints/activities.py
@@ -29,7 +29,13 @@ def submit(act_id):
         upload_dir = os.path.join(current_app.config["UPLOAD_FOLDER"], "activities")
         for idx, f in enumerate(files):
             original, web, thumb, exif = save_image(f, upload_dir)
-            img = SubmissionImage(submission_id=sub.id, original_path=original, web_path=web, thumb_path=thumb, exif_json=exif, order_index=idx)
+            root = current_app.config["UPLOAD_FOLDER"]
+            def rel(p):
+                try:
+                    return os.path.relpath(p, root)
+                except Exception:
+                    return p
+            img = SubmissionImage(submission_id=sub.id, original_path=rel(original), web_path=rel(web), thumb_path=rel(thumb), exif_json=exif, order_index=idx)
             db.session.add(img)
         db.session.commit()
         flash("投稿已提交，待审核")
diff --git a/app/blueprints/main.py b/app/blueprints/main.py
index 33a691a..57b65bc 100644
--- a/app/blueprints/main.py
+++ b/app/blueprints/main.py
@@ -1,4 +1,5 @@
-from flask import Blueprint, redirect, url_for, current_app, send_from_directory
+import os
+from flask import Blueprint, redirect, url_for, current_app, send_file, abort
 
 bp = Blueprint("main", __name__)
 
@@ -8,4 +9,10 @@ def index():
 
 @bp.route("/uploads/<path:filename>")
 def uploads(filename):
-    return send_from_directory(current_app.config["UPLOAD_FOLDER"], filename)
+    root = os.path.abspath(current_app.config["UPLOAD_FOLDER"])
+    path = filename
+    if not os.path.isabs(path):
+        path = os.path.abspath(os.path.join(root, filename))
+    if not path.startswith(root):
+        abort(404)
+    return send_file(path)
diff --git a/app/blueprints/posts.py b/app/blueprints/posts.py
index 61ac635..afa6514 100644
--- a/app/blueprints/posts.py
+++ b/app/blueprints/posts.py
@@ -31,7 +31,14 @@ def create():
         upload_dir = os.path.join(current_app.config["UPLOAD_FOLDER"], "posts")
         for idx, f in enumerate(files):
             original, web, thumb, exif = save_image(f, upload_dir)
-            img = PostImage(post_id=post.id, original_path=original, web_path=web, thumb_path=thumb, exif_json=exif, order_index=idx)
+            # 存储相对路径，兼容已有绝对路径
+            root = current_app.config["UPLOAD_FOLDER"]
+            def rel(p):
+                try:
+                    return os.path.relpath(p, root)
+                except Exception:
+                    return p
+            img = PostImage(post_id=post.id, original_path=rel(original), web_path=rel(web), thumb_path=rel(thumb), exif_json=exif, order_index=idx)
             db.session.add(img)
         db.session.commit()
         flash("作品已提交")
diff --git a/app/templates/admin/reviews_posts.html b/app/templates/admin/reviews_posts.html
index 2e107bb..4b95652 100644
--- a/app/templates/admin/reviews_posts.html
+++ b/app/templates/admin/reviews_posts.html
@@ -1,14 +1,17 @@
 {% extends 'base.html' %}
 {% block title %}作品审核{% endblock %}
 {% block content %}
-<h3>作品审核</h3>
-<table class="table">
-  <tr><th>标题</th><th>作者</th><th>操作</th></tr>
+<h3 class="mb-3">作品审核</h3>
+<div class="card-grid">
   {% for p in posts %}
-  <tr>
-    <td>{{ p.title }}</td>
-    <td>{{ p.user.username }}</td>
-    <td>
+  <div class="card">
+    {% set first = p.images[0] if p.images %}
+    {% if first %}
+      <img class="photo-thumb" src="{{ url_for('main.uploads', filename=first.web_path) }}" alt="{{ p.title }}" />
+    {% endif %}
+    <div class="p-3">
+      <div class="mb-2"><strong>{{ p.title }}</strong> · {{ p.user.username }}</div>
+      {% if p.description %}<div class="text-secondary mb-2">{{ p.description }}</div>{% endif %}
       <form method="post" action="{{ url_for('admin.approve_post', post_id=p.id) }}" style="display:inline">
         <input type="hidden" name="csrf_token" value="{{ csrf_token }}">
         <button class="btn btn-success">通过</button>
@@ -17,8 +20,8 @@
         <input type="hidden" name="csrf_token" value="{{ csrf_token }}">
         <button class="btn btn-danger">拒绝</button>
       </form>
-    </td>
-  </tr>
+    </div>
+  </div>
   {% endfor %}
-</table>
+</div>
 {% endblock %}
diff --git a/app/templates/feed/discover.html b/app/templates/feed/discover.html
index f09ebd1..652ab0d 100644
--- a/app/templates/feed/discover.html
+++ b/app/templates/feed/discover.html
@@ -8,7 +8,7 @@
     {% set first = p.images[0] if p.images %}
     {% if first %}
     <a href="{{ url_for('posts.detail', post_id=p.id) }}">
-      <img class="photo-thumb" src="{{ url_for('main.uploads', filename=first.web_path.split('uploads\\')[-1]) }}" alt="{{ p.title }}" />
+      <img class="photo-thumb" src="{{ url_for('main.uploads', filename=first.web_path) }}" alt="{{ p.title }}" />
     </a>
     {% endif %}
     <div class="p-3">
diff --git a/app/templates/feed/following.html b/app/templates/feed/following.html
index db024a9..108653c 100644
--- a/app/templates/feed/following.html
+++ b/app/templates/feed/following.html
@@ -8,7 +8,7 @@
     {% set first = p.images[0] if p.images %}
     {% if first %}
     <a href="{{ url_for('posts.detail', post_id=p.id) }}">
-      <img class="photo-thumb" src="{{ url_for('main.uploads', filename=first.web_path.split('uploads\\')[-1]) }}" alt="{{ p.title }}" />
+      <img class="photo-thumb" src="{{ url_for('main.uploads', filename=first.web_path) }}" alt="{{ p.title }}" />
     </a>
     {% endif %}
     <div class="p-3">
diff --git a/app/templates/posts/detail.html b/app/templates/posts/detail.html
index bfa8424..17a03d2 100644
--- a/app/templates/posts/detail.html
+++ b/app/templates/posts/detail.html
@@ -11,7 +11,7 @@
     <div class="row">
       {% for img in post.images %}
       <div class="col-md-4 mb-2">
-        <img src="{{ url_for('main.uploads', filename=img.web_path.split('uploads\\')[-1]) }}" class="photo-thumb" />
+        <img src="{{ url_for('main.uploads', filename=img.web_path) }}" class="photo-thumb" />
       </div>
       {% endfor %}
     </div>