From 9629141734d9422a2222befa0bbdccdbac2b47ac Mon Sep 17 00:00:00 2001
From: cwchen <1048842385@qq.com>
Date: Tue, 30 Sep 2025 09:32:26 +0800
Subject: [PATCH] =?UTF-8?q?=E9=9D=9E=E6=B3=95=E5=80=BC=E6=A0=A1=E9=AA=8C?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 bonus-common/src/main/java/com/bonus/common/utils/SafeUtil.java | 2 +-
 .../src/main/java/com/bonus/framework/interceptor/XssCheck.java | 1 +
 .../java/com/bonus/framework/interceptor/XssRequestWrapper.java | 1 +
 3 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/bonus-common/src/main/java/com/bonus/common/utils/SafeUtil.java b/bonus-common/src/main/java/com/bonus/common/utils/SafeUtil.java
index 9f89fc6..a73d3f7 100644
--- a/bonus-common/src/main/java/com/bonus/common/utils/SafeUtil.java
+++ b/bonus-common/src/main/java/com/bonus/common/utils/SafeUtil.java
@@ -22,7 +22,7 @@ public class SafeUtil {
 
     // 危险字符和编码
     public final static String DANGEROUS_CHARS =
-            "(<.*>|\\[.*\\]|\\(.*\\)|\".*\"|'.*'|@|!|\\$|;|\\||/)" +
+            "(<.*>|\\[.*\\]|\\(.*\\)|\".*\"|'.*'|@|%|!|\\$|;|\\||/)" +
                     "|(%3[cdef]|%2[bf2789]|%5[bd]|%3b|%28|%29)" +
                     "|(\\\\x3[cdef]|\\\\x2[bf27])" +
                     "|(data:text/html|base64|document\\.|window\\.|location\\.|cookie)";
diff --git a/bonus-framework/src/main/java/com/bonus/framework/interceptor/XssCheck.java b/bonus-framework/src/main/java/com/bonus/framework/interceptor/XssCheck.java
index b09224c..4738902 100644
--- a/bonus-framework/src/main/java/com/bonus/framework/interceptor/XssCheck.java
+++ b/bonus-framework/src/main/java/com/bonus/framework/interceptor/XssCheck.java
@@ -72,6 +72,7 @@ public class XssCheck {
         // 其他特殊字符
         XSS_PATTERNS.add(Pattern.compile("@.*", Pattern.CASE_INSENSITIVE)); // @符号
         XSS_PATTERNS.add(Pattern.compile("!.*", Pattern.CASE_INSENSITIVE)); // 感叹号
+        XSS_PATTERNS.add(Pattern.compile("%", Pattern.CASE_INSENSITIVE)); // %
 
         // 十六进制编码
         XSS_PATTERNS.add(Pattern.compile("\\\\x3c", Pattern.CASE_INSENSITIVE)); // < 的十六进制
diff --git a/bonus-framework/src/main/java/com/bonus/framework/interceptor/XssRequestWrapper.java b/bonus-framework/src/main/java/com/bonus/framework/interceptor/XssRequestWrapper.java
index 9946259..d206694 100644
--- a/bonus-framework/src/main/java/com/bonus/framework/interceptor/XssRequestWrapper.java
+++ b/bonus-framework/src/main/java/com/bonus/framework/interceptor/XssRequestWrapper.java
@@ -76,6 +76,7 @@ public class XssRequestWrapper extends HttpServletRequestWrapper {
         // 其他特殊字符
         XSS_PATTERNS.add(Pattern.compile("@.*", Pattern.CASE_INSENSITIVE)); // @符号
         XSS_PATTERNS.add(Pattern.compile("!.*", Pattern.CASE_INSENSITIVE)); // 感叹号
+        XSS_PATTERNS.add(Pattern.compile("%", Pattern.CASE_INSENSITIVE)); // %
 
         // 十六进制编码
         XSS_PATTERNS.add(Pattern.compile("\\\\x3c", Pattern.CASE_INSENSITIVE)); // < 的十六进制