diff --git a/README.md b/README.md
index 4f20aad1..e1dd3f0c 100644
--- a/README.md
+++ b/README.md
@@ -109,8 +109,8 @@
## 更多介绍
-* 内置功能:
* 目录结构:
+* 内置功能:
* 架构特点:
* 参数配置:
* 开发规范:
diff --git a/common/src/main/java/com/jeesite/common/codec/EncodeUtils.java b/common/src/main/java/com/jeesite/common/codec/EncodeUtils.java
index 6368065c..43368c25 100644
--- a/common/src/main/java/com/jeesite/common/codec/EncodeUtils.java
+++ b/common/src/main/java/com/jeesite/common/codec/EncodeUtils.java
@@ -191,7 +191,7 @@ public class EncodeUtils {
// 预编译XSS过滤正则表达式
private static final List xssPatterns = ListUtils.newArrayList(
Pattern.compile("(<\\s*(script|link|style|iframe)([\\s\\S]*?)(>|<\\/\\s*\\1\\s*>))|()", Pattern.CASE_INSENSITIVE),
- Pattern.compile("\\s*(href|src)\\s*=\\s*(\"\\s*(javascript|vbscript):[^\"]+\"|'\\s*(javascript|vbscript):[^']+'|(javascript|vbscript):[^\\s]+)\\s*(?=>)", Pattern.CASE_INSENSITIVE),
+ Pattern.compile("\\s*(href|src)\\s*=\\s*(\"\\s*(javascript|vbscript|data):[^\"]+\"|'\\s*(javascript|vbscript|data):[^']+'|(javascript|vbscript|data):[^\\s]+)\\s*(?=>)", Pattern.CASE_INSENSITIVE),
Pattern.compile("\\s*/?\\s*on[a-zA-Z]+\\s*=\\s*(['\"]?)(.*?)\\1(?=\\s|>|/>)", Pattern.CASE_INSENSITIVE),
Pattern.compile("(eval\\((.*?)\\)|expression\\((.*?)\\))", Pattern.CASE_INSENSITIVE),
Pattern.compile("^(javascript:|vbscript:)", Pattern.CASE_INSENSITIVE)
diff --git a/common/src/test/java/com/jeesite/test/codec/EncodeUtilsTest.java b/common/src/test/java/com/jeesite/test/codec/EncodeUtilsTest.java
index 73039d3f..c0f48f66 100644
--- a/common/src/test/java/com/jeesite/test/codec/EncodeUtilsTest.java
+++ b/common/src/test/java/com/jeesite/test/codec/EncodeUtilsTest.java
@@ -41,6 +41,7 @@ public class EncodeUtilsTest {
xssFilter(i++, "你好 ?abc=def&hello=123&world={\"a\":1}我还在。");
xssFilter(i++, "你好 ?abc=def&hello=123&world={'a':1}我还在。");
xssFilter(i++, "\">");
+ xssFilter(i++, "XSS