From a9a6fa934b13a9a15fa85f86a8e45849b28eac61 Mon Sep 17 00:00:00 2001
From: MaxKey <shimingxy@qq.com>
Date: Thu, 25 Mar 2021 22:44:01 +0800
Subject: [PATCH] Update WebXssRequestFilter.java

---
 .../src/main/java/org/maxkey/web/WebXssRequestFilter.java   | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/maxkey-core/src/main/java/org/maxkey/web/WebXssRequestFilter.java b/maxkey-core/src/main/java/org/maxkey/web/WebXssRequestFilter.java
index 4813bc15b..d264a4aa5 100644
--- a/maxkey-core/src/main/java/org/maxkey/web/WebXssRequestFilter.java
+++ b/maxkey-core/src/main/java/org/maxkey/web/WebXssRequestFilter.java
@@ -27,8 +27,10 @@ public class WebXssRequestFilter  extends GenericFilterBean {
           String key = (String) parameterNames.nextElement();
           String value = request.getParameter(key);
           _logger.trace("parameter name "+key +" , value " + value);
-          if(!StringEscapeUtils.escapeHtml4(value).equals(value)
-        		  ||value.toLowerCase().indexOf("script")>-1) {
+          String tempValue = value.toLowerCase().replace(" ", "");
+          if(!StringEscapeUtils.escapeHtml4(tempValue).equals(value)
+        		  ||tempValue.indexOf("script")>-1
+        		  ||tempValue.indexOf("eval(")>-1) {
         	  isWebXss = true;
         	  _logger.error("parameter name "+key +" , value " + value 
         			  		+ ", contains dangerous content ! ");