diff --git a/bonus-common/src/main/java/com/bonus/common/utils/SafeUtil.java b/bonus-common/src/main/java/com/bonus/common/utils/SafeUtil.java
index 9f89fc6..a73d3f7 100644
--- a/bonus-common/src/main/java/com/bonus/common/utils/SafeUtil.java
+++ b/bonus-common/src/main/java/com/bonus/common/utils/SafeUtil.java
@@ -22,7 +22,7 @@ public class SafeUtil {
 
     // 危险字符和编码
     public final static String DANGEROUS_CHARS =
-            "(<.*>|\\[.*\\]|\\(.*\\)|\".*\"|'.*'|@|!|\\$|;|\\||/)" +
+            "(<.*>|\\[.*\\]|\\(.*\\)|\".*\"|'.*'|@|%|!|\\$|;|\\||/)" +
                     "|(%3[cdef]|%2[bf2789]|%5[bd]|%3b|%28|%29)" +
                     "|(\\\\x3[cdef]|\\\\x2[bf27])" +
                     "|(data:text/html|base64|document\\.|window\\.|location\\.|cookie)";
diff --git a/bonus-framework/src/main/java/com/bonus/framework/interceptor/XssCheck.java b/bonus-framework/src/main/java/com/bonus/framework/interceptor/XssCheck.java
index b09224c..4738902 100644
--- a/bonus-framework/src/main/java/com/bonus/framework/interceptor/XssCheck.java
+++ b/bonus-framework/src/main/java/com/bonus/framework/interceptor/XssCheck.java
@@ -72,6 +72,7 @@ public class XssCheck {
         // 其他特殊字符
         XSS_PATTERNS.add(Pattern.compile("@.*", Pattern.CASE_INSENSITIVE)); // @符号
         XSS_PATTERNS.add(Pattern.compile("!.*", Pattern.CASE_INSENSITIVE)); // 感叹号
+        XSS_PATTERNS.add(Pattern.compile("%", Pattern.CASE_INSENSITIVE)); // %
 
         // 十六进制编码
         XSS_PATTERNS.add(Pattern.compile("\\\\x3c", Pattern.CASE_INSENSITIVE)); // < 的十六进制
diff --git a/bonus-framework/src/main/java/com/bonus/framework/interceptor/XssRequestWrapper.java b/bonus-framework/src/main/java/com/bonus/framework/interceptor/XssRequestWrapper.java
index 9946259..d206694 100644
--- a/bonus-framework/src/main/java/com/bonus/framework/interceptor/XssRequestWrapper.java
+++ b/bonus-framework/src/main/java/com/bonus/framework/interceptor/XssRequestWrapper.java
@@ -76,6 +76,7 @@ public class XssRequestWrapper extends HttpServletRequestWrapper {
         // 其他特殊字符
         XSS_PATTERNS.add(Pattern.compile("@.*", Pattern.CASE_INSENSITIVE)); // @符号
         XSS_PATTERNS.add(Pattern.compile("!.*", Pattern.CASE_INSENSITIVE)); // 感叹号
+        XSS_PATTERNS.add(Pattern.compile("%", Pattern.CASE_INSENSITIVE)); // %
 
         // 十六进制编码
         XSS_PATTERNS.add(Pattern.compile("\\\\x3c", Pattern.CASE_INSENSITIVE)); // < 的十六进制