Index: forgon-core/src/main/java/com/forgon/xss/util/XSSFilterUtil.java
===================================================================
diff -u -r26905 -r34613
--- forgon-core/src/main/java/com/forgon/xss/util/XSSFilterUtil.java	(.../XSSFilterUtil.java)	(revision 26905)
+++ forgon-core/src/main/java/com/forgon/xss/util/XSSFilterUtil.java	(.../XSSFilterUtil.java)	(revision 34613)
@@ -15,6 +15,45 @@
 public class XSSFilterUtil {
 	private static List<Pattern> patterns = null;
 
+	/**
+	 * 处理存储型与反射型xss攻击漏洞(QYSRMYY-42 修复渗透测试扫描出来的存储型和反射型XSS漏洞)
+	 * @param value
+	 * @return
+	 */
+	public static String striptXss(String value){
+		if(StringUtils.isNotBlank(value)){
+			value = value.replaceAll("<", "＜");
+			value = value.replaceAll(">", "＞");
+			//下面两行会影响正常的json数据传送,暂先注释
+			//value = value.replaceAll("\\\"", "&quot");
+			//value = value.replaceAll("&", "&amp");
+			
+			Pattern scriptPattern = Pattern.compile("<script>(.*?)</script>",Pattern.CASE_INSENSITIVE);
+			value = scriptPattern.matcher(value).replaceAll("");
+			scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'",Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
+			value = scriptPattern.matcher(value).replaceAll("");
+			scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"",Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
+			value = scriptPattern.matcher(value).replaceAll("");
+			scriptPattern = Pattern.compile("</script>",Pattern.CASE_INSENSITIVE);
+			value = scriptPattern.matcher(value).replaceAll("");
+			scriptPattern = Pattern.compile("<script>(.*?)",Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
+			value = scriptPattern.matcher(value).replaceAll("");
+			scriptPattern = Pattern.compile("eval\\((.*?)\\)",Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
+			value = scriptPattern.matcher(value).replaceAll("");
+			scriptPattern = Pattern.compile("expression\\((.*?)\\)",Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
+			value = scriptPattern.matcher(value).replaceAll("");
+			scriptPattern = Pattern.compile("javascript:",Pattern.CASE_INSENSITIVE);
+			value = scriptPattern.matcher(value).replaceAll("");
+			scriptPattern = Pattern.compile("vbscript:",Pattern.CASE_INSENSITIVE);
+			value = scriptPattern.matcher(value).replaceAll("");
+			scriptPattern = Pattern.compile("onload(.*?)=",Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
+			value = scriptPattern.matcher(value).replaceAll("");
+			scriptPattern = Pattern.compile(".*<.*",Pattern.CASE_INSENSITIVE);
+			value = scriptPattern.matcher(value).replaceAll("");
+		}
+		return value;
+	}
+
     private static List<Object[]> getXSSPatternList() {
         List<Object[]> ret = new ArrayList<Object[]>();
 
@@ -62,6 +101,13 @@
         return patterns;
     }
 
+    /**
+     * DGKHYY-21 系统被医院安全扫描出代码有漏洞要修复(反射性XSS漏洞）.暂时不再使用，由striptXss代替
+     * @param value
+     * @return
+     */
+    @SuppressWarnings("unused")
+    @Deprecated
     public static String stripXSS(String value) {
 
         if (null == value) {
Index: forgon-core/src/main/java/com/forgon/xss/request/XSSServletRequest.java
===================================================================
diff -u -r26897 -r34613
--- forgon-core/src/main/java/com/forgon/xss/request/XSSServletRequest.java	(.../XSSServletRequest.java)	(revision 26897)
+++ forgon-core/src/main/java/com/forgon/xss/request/XSSServletRequest.java	(.../XSSServletRequest.java)	(revision 34613)
@@ -1,8 +1,17 @@
 package com.forgon.xss.request;
 
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Set;
+
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletRequestWrapper;
 
+import org.apache.commons.collections4.MapUtils;
+import org.apache.commons.lang3.StringUtils;
+import org.springframework.web.multipart.MultipartHttpServletRequest;
+import org.springframework.web.multipart.commons.CommonsMultipartResolver;
+
 import com.forgon.xss.util.XSSFilterUtil;
 
 /**
@@ -12,17 +21,42 @@
  */
 public class XSSServletRequest extends HttpServletRequestWrapper {
 
+	private CommonsMultipartResolver multiparResolver = new CommonsMultipartResolver();
 	public XSSServletRequest(HttpServletRequest request) {
 		super(request);
-		// TODO Auto-generated constructor stub
+		//QYSRMYY-42 修复渗透测试扫描出来的存储型和反射型XSS漏洞
+		String type = request.getHeader("Content-Type");
+		if (StringUtils.isNotBlank(type)){
+				if(type.contains("multipart/form-data")) {
+	            MultipartHttpServletRequest multipartHttpServletRequest = multiparResolver.resolveMultipart(request);
+	            Map<String, String[]> stringMap = multipartHttpServletRequest.getParameterMap();
+	            if (!stringMap.isEmpty()) {
+	                for (String key : stringMap.keySet()) {
+	                    String value = multipartHttpServletRequest.getParameter(key);
+	                    XSSFilterUtil.striptXss(key);
+	                    XSSFilterUtil.striptXss(value);
+	                }
+	            }
+	            super.setRequest(multipartHttpServletRequest);
+	        }else if(type.contains("text/html") || type.contains("application/x-www-form-urlencoded")){
+	        	Map<String,String[]> map = request.getParameterMap();
+	        	if(MapUtils.isNotEmpty(map)){
+	        		map.entrySet().stream().forEach(entry -> {
+	        			String name = entry.getKey();
+	        			String value = request.getParameter(name);
+	        			XSSFilterUtil.striptXss(value);
+	        		});
+	        	}
+	        }
+		}
 	}
 
 	@Override
 	public String getParameter(String name) {
-		return XSSFilterUtil.stripXSS(super.getParameter(name));
+		return XSSFilterUtil.striptXss(super.getParameter(name));
 	}
 
-	@Override
+	/*@Override
 	public String[] getParameterValues(String name) {
 		String[] values = super.getParameterValues(name);
 		if(values != null && values.length > 0){
@@ -32,6 +66,46 @@
 			}
 		}
 		return values;
-	}
+	}*/
+	
+	@Override
+    public String[] getParameterValues(String parameter) {
+        String[] values = super.getParameterValues(parameter);
+        if (values == null) {
+            return null;
+        }
+        int count = values.length;
+        String[] encodedValues = new String[count];
+        for (int i = 0; i < count; i++) {
+            encodedValues[i] = XSSFilterUtil.striptXss(values[i]);
+        }
+        return encodedValues;
+    }
 
+    @Override
+    public String getHeader(String name) {
+        String value = super.getHeader(name);
+        return XSSFilterUtil.striptXss(value);
+    }
+
+    @Override
+    public Map<String, String[]> getParameterMap() {
+        Map<String, String[]> map1 = super.getParameterMap();
+        Map<String, String[]> escapseMap = new HashMap<String, String[]>();
+        Set<String> keys = map1.keySet();
+        for (String key : keys) {
+            String[] valArr = map1.get(key);
+            if (valArr != null && valArr.length > 0) {
+                String[] escapseValArr = new String[valArr.length];
+                for (int i = 0; i < valArr.length; i++) {
+                    String escapseVal = XSSFilterUtil.striptXss(valArr[i]);
+                    escapseValArr[i] = escapseVal;
+                }
+                escapseMap.put(key, escapseValArr);
+            }
+        }
+
+        return escapseMap;
+    }
+
 }
Index: ssts-web/src/main/webapp/WEB-INF/web-xml-standard/web.xml
===================================================================
diff -u -r34507 -r34613
--- ssts-web/src/main/webapp/WEB-INF/web-xml-standard/web.xml	(.../web.xml)	(revision 34507)
+++ ssts-web/src/main/webapp/WEB-INF/web-xml-standard/web.xml	(.../web.xml)	(revision 34613)
@@ -42,7 +42,18 @@
 		<url-pattern>/*</url-pattern>
 	</filter-mapping>
     
+	<!-- xss过滤器配置 -->
 	<filter>
+		<filter-name>xssfilter</filter-name>
+		<filter-class>com.forgon.xss.filter.XSSFilter</filter-class>
+	</filter>
+
+	<filter-mapping>
+		<filter-name>xssfilter</filter-name>
+		<url-pattern>/*</url-pattern>
+	</filter-mapping>
+
+	<filter>
 		<filter-name>springSecurityFilterChain</filter-name>
 		<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
 	</filter>
@@ -118,17 +129,6 @@
         <url-pattern>/openSystemMainPage.jsp</url-pattern>
     </filter-mapping-->
 
-	<!-- xss过滤器配置 -->
-	<filter>
-		<filter-name>xssfilter</filter-name>
-		<filter-class>com.forgon.xss.filter.XSSFilter</filter-class>
-	</filter>
-
-	<filter-mapping>
-		<filter-name>xssfilter</filter-name>
-		<url-pattern>/*</url-pattern>
-	</filter-mapping>
-
     <listener>
         <listener-class>
             com.forgon.servlet.ForgonServletContextListener
@@ -337,6 +337,8 @@
         <session-timeout>480</session-timeout>
         <cookie-config>      
 		　　<http-only>true</http-only>
+			<!-- 下面这行配置不能加,如果有加,则服务启动后访问首页时,浏览器不能显示登录页面,并提示“重定向次数,请清除cookie”,清理cookie也不行 -->
+			<!-- <secure>true</secure> -->
 	　　</cookie-config>
     </session-config>
     <distributable/>
Index: forgon-core/src/main/java/com/forgon/xss/filter/XSSFilter.java
===================================================================
diff -u -r26897 -r34613
--- forgon-core/src/main/java/com/forgon/xss/filter/XSSFilter.java	(.../XSSFilter.java)	(revision 26897)
+++ forgon-core/src/main/java/com/forgon/xss/filter/XSSFilter.java	(.../XSSFilter.java)	(revision 34613)
@@ -1,14 +1,19 @@
 package com.forgon.xss.filter;
 
 import java.io.IOException;
+import java.text.SimpleDateFormat;
+import java.util.Calendar;
+import java.util.Locale;
 
 import javax.servlet.Filter;
 import javax.servlet.FilterChain;
 import javax.servlet.FilterConfig;
 import javax.servlet.ServletException;
 import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;
+import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
 
 import com.forgon.xss.request.XSSServletRequest;
 
@@ -27,7 +32,28 @@
 	@Override
 	public void doFilter(ServletRequest request, ServletResponse response,
 			FilterChain chain) throws IOException, ServletException {
-		chain.doFilter(new XSSServletRequest((HttpServletRequest)request), response);
+		HttpServletRequest httpServletRequest = (HttpServletRequest)request;
+		/*System.out.println("httpServletRequest.getRequestURI()=" + httpServletRequest.getRequestURI());
+		System.out.println("request.getContentType()=" + request.getContentType());*/
+		XSSServletRequest xssRequest = new XSSServletRequest(httpServletRequest);
+		HttpServletResponse resp = (HttpServletResponse)response;
+		//QYSRMYY-42 修复渗透测试扫描出来的存储型和反射型XSS漏洞
+		Cookie[] cookies = xssRequest.getCookies();
+		if(cookies != null){
+			SimpleDateFormat sdf = new SimpleDateFormat("dd-MM-yyyy HH:mm:ss",Locale.CHINA);
+			for(Cookie cookie : cookies){
+				String value = cookie.getValue();
+				StringBuilder builder = new StringBuilder();
+				builder.append("JSESSIONID=" + value + "; ");
+				builder.append("Secure; ");
+				builder.append("HttpOnly; " + cookie.isHttpOnly());
+				Calendar cal = Calendar.getInstance();
+				cal.add(Calendar.HOUR, 1);
+				builder.append("Expires="+sdf.format(cal.getTime()));
+				resp.setHeader("Set-Cookie",builder.toString());
+			}
+		}
+		chain.doFilter(xssRequest, response);
 	}
 
 	@Override
