Index: forgon-core/src/main/java/com/forgon/xss/util/XSSFilterUtil.java
===================================================================
diff -u
--- forgon-core/src/main/java/com/forgon/xss/util/XSSFilterUtil.java	(revision 0)
+++ forgon-core/src/main/java/com/forgon/xss/util/XSSFilterUtil.java	(revision 26897)
@@ -0,0 +1,143 @@
+package com.forgon.xss.util;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+import org.apache.commons.lang.StringUtils;
+
+/**
+ * xss工具类
+ * @author forgon
+ * @since 2019-08-28
+ */
+public class XSSFilterUtil {
+	private static List<Pattern> patterns = null;
+
+    private static List<Object[]> getXSSPatternList() {
+        List<Object[]> ret = new ArrayList<Object[]>();
+
+        ret.add(new Object[] { "<(no)?script[^>]*>.*?</(no)?script>",
+                Pattern.CASE_INSENSITIVE });
+        ret.add(new Object[] { "eval\\((.*?)\\)",
+                Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL });
+        ret.add(new Object[] { "expression\\((.*?)\\)",
+                Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL });
+        ret.add(new Object[] { "(javascript:|vbscript:|view-source:)*",
+                Pattern.CASE_INSENSITIVE });
+        ret.add(new Object[] { "<(\"[^\"]*\"|\'[^\']*\'|[^\'\">])*>",
+                Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL });
+        ret.add(new Object[] {
+                "(window\\.location|window\\.|\\.location|document\\.cookie|document\\.|alert\\(.*?\\)|window\\.open\\()*",
+                Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL });
+        ret.add(new Object[] {
+                "<+\\s*\\w*\\s*(oncontrolselect|oncopy|oncut|ondataavailable|ondatasetchanged|ondatasetcomplete|ondblclick|ondeactivate|ondrag|ondragend|ondragenter|ondragleave|ondragover|ondragstart|ondrop|οnerrοr=|onerroupdate|onfilterchange|onfinish|onfocus|onfocusin|onfocusout|onhelp|onkeydown|onkeypress|onkeyup|onlayoutcomplete|onload|onlosecapture|onmousedown|onmouseenter|onmouseleave|onmousemove|onmousout|onmouseover|onmouseup|onmousewheel|onmove|onmoveend|onmovestart|onabort|onactivate|onafterprint|onafterupdate|onbefore|onbeforeactivate|onbeforecopy|onbeforecut|onbeforedeactivate|onbeforeeditocus|onbeforepaste|onbeforeprint|onbeforeunload|onbeforeupdate|onblur|onbounce|oncellchange|onchange|onclick|oncontextmenu|onpaste|onpropertychange|onreadystatechange|onreset|onresize|onresizend|onresizestart|onrowenter|onrowexit|onrowsdelete|onrowsinserted|onscroll|onselect|onselectionchange|onselectstart|onstart|onstop|onsubmit|onunload)+\\s*=+",
+                Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL });
+        return ret;
+    }
+
+    private static List<Pattern> getPatterns() {
+
+        if (patterns == null) {
+
+            List<Pattern> list = new ArrayList<Pattern>();
+
+            String regex = null;
+            Integer flag = null;
+            int arrLength = 0;
+
+            for (Object[] arr : getXSSPatternList()) {
+                arrLength = arr.length;
+                for (int i = 0; i < arrLength; i++) {
+                    regex = (String) arr[0];
+                    flag = (Integer) arr[1];
+                    list.add(Pattern.compile(regex, flag));
+                }
+            }
+
+            patterns = list;
+        }
+
+        return patterns;
+    }
+
+    public static String stripXSS(String value) {
+
+        if (null == value) {
+            return value;
+        }
+        if (StringUtils.isNotBlank(value)) {
+
+            Matcher matcher = null;
+
+            for (Pattern pattern : getPatterns()) {
+                matcher = pattern.matcher(value);
+                // 匹配
+                if (matcher.find()) {
+                    // 删除相关字符串
+                    value = matcher.replaceAll("");
+                }
+            }
+            //value = StringFilter.StringFilter(value);
+        }
+        // 预防SQL盲注
+        String[] pattern = { "%", "select", "insert", "delete", "from",
+                "count\\(", "drop table", "update", "truncate", "asc\\(",
+                "mid\\(", "char\\(", "xp_cmdshell", "exec", "master",
+                "netlocalgroup administrators", "net user", "or", "and" };
+        for (int i = 0; i < pattern.length; i++) {
+            value = value.replace(pattern[i].toString(), "");
+        }
+        return value;
+    }
+
+    public static void main(String[] args) {
+
+        String value = null;
+        value = XSSFilterUtil
+                .stripXSS("<br>select  ***//||&;/*-+ <>$###@%$#@$%^#$^%$&^(&*)*\\''count or %% ..... ,,,, ");
+        System.out.println("type-1: '" + value + "'");
+
+        value = XSSFilterUtil
+                .stripXSS("<script src='' οnerrοr='alert(document.cookie)'></script>");
+        System.out.println("type-2: '" + value + "'");
+
+        value = XSSFilterUtil.stripXSS("</script>");
+        System.out.println("type-3: '" + value + "'");
+
+        value = XSSFilterUtil.stripXSS(" eval(abc);");
+        System.out.println("type-4: '" + value + "'");
+
+        value = XSSFilterUtil.stripXSS(" expression(abc);");
+        System.out.println("type-5: '" + value + "'");
+
+        value = XSSFilterUtil
+                .stripXSS("<img src='' οnerrοr='alert(document.cookie);'></img>");
+        System.out.println("type-6: '" + value + "'");
+
+        value = XSSFilterUtil
+                .stripXSS("<img src='' οnerrοr='alert(document.cookie);'/>");
+        System.out.println("type-7: '" + value + "'");
+
+        value = XSSFilterUtil
+                .stripXSS("<img src='' οnerrοr='alert(document.cookie);'>");
+        System.out.println("type-8: '" + value + "'");
+
+        value = XSSFilterUtil
+                .stripXSS("<script language=text/javascript>alert(document.cookie);");
+        System.out.println("type-9: '" + value + "'");
+
+        value = XSSFilterUtil.stripXSS("<script>window.location='url'");
+        System.out.println("type-10: '" + value + "'");
+
+        value = XSSFilterUtil.stripXSS(" οnlοad='alert(\"abc\");");
+        System.out.println("type-11: '" + value + "'");
+
+        value = XSSFilterUtil.stripXSS("<img src=x<!--'<\"-->>");
+        System.out.println("type-12: '" + value + "'");
+
+        value = XSSFilterUtil.stripXSS("<=img onstop=");
+        System.out.println("type-13: '" + value + "'");
+    }
+}
Index: forgon-core/src/main/java/com/forgon/xss/filter/XSSFilter.java
===================================================================
diff -u
--- forgon-core/src/main/java/com/forgon/xss/filter/XSSFilter.java	(revision 0)
+++ forgon-core/src/main/java/com/forgon/xss/filter/XSSFilter.java	(revision 26897)
@@ -0,0 +1,38 @@
+package com.forgon.xss.filter;
+
+import java.io.IOException;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+
+import com.forgon.xss.request.XSSServletRequest;
+
+/**
+ * xss过滤器
+ * @author forgon
+ * @since 2019-08-28
+ */
+public class XSSFilter implements Filter {
+
+	@Override
+	public void init(FilterConfig filterConfig) throws ServletException {
+		
+	}
+
+	@Override
+	public void doFilter(ServletRequest request, ServletResponse response,
+			FilterChain chain) throws IOException, ServletException {
+		chain.doFilter(new XSSServletRequest((HttpServletRequest)request), response);
+	}
+
+	@Override
+	public void destroy() {
+		
+	}
+
+}
Index: forgon-core/src/main/java/com/forgon/xss/request/XSSServletRequest.java
===================================================================
diff -u
--- forgon-core/src/main/java/com/forgon/xss/request/XSSServletRequest.java	(revision 0)
+++ forgon-core/src/main/java/com/forgon/xss/request/XSSServletRequest.java	(revision 26897)
@@ -0,0 +1,37 @@
+package com.forgon.xss.request;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletRequestWrapper;
+
+import com.forgon.xss.util.XSSFilterUtil;
+
+/**
+ * xss请求处理类
+ * @author forgon
+ * @since 2019-08-28
+ */
+public class XSSServletRequest extends HttpServletRequestWrapper {
+
+	public XSSServletRequest(HttpServletRequest request) {
+		super(request);
+		// TODO Auto-generated constructor stub
+	}
+
+	@Override
+	public String getParameter(String name) {
+		return XSSFilterUtil.stripXSS(super.getParameter(name));
+	}
+
+	@Override
+	public String[] getParameterValues(String name) {
+		String[] values = super.getParameterValues(name);
+		if(values != null && values.length > 0){
+			for (int i = 0; i < values.length; i++) {
+				values[i] = XSSFilterUtil.stripXSS(values[i]);
+				
+			}
+		}
+		return values;
+	}
+
+}
Index: ssts-web/src/main/webapp/WEB-INF/web-standard.xml
===================================================================
diff -u -r26218 -r26897
--- ssts-web/src/main/webapp/WEB-INF/web-standard.xml	(.../web-standard.xml)	(revision 26218)
+++ ssts-web/src/main/webapp/WEB-INF/web-standard.xml	(.../web-standard.xml)	(revision 26897)
@@ -104,7 +104,18 @@
         <filter-name>resetPasswordFilter</filter-name>
         <url-pattern>/openSystemMainPage.jsp</url-pattern>
     </filter-mapping-->
-    
+
+	<!-- xss过滤器配置 -->
+	<filter>
+		<filter-name>xssfilter</filter-name>
+		<filter-class>com.forgon.xss.filter.XSSFilter</filter-class>
+	</filter>
+
+	<filter-mapping>
+		<filter-name>xssfilter</filter-name>
+		<url-pattern>/*</url-pattern>
+	</filter-mapping>
+
     <listener>
         <listener-class>
             com.forgon.servlet.ForgonServletContextListener
