diff --git a/modules/core/src/main/java/com/jeesite/modules/sys/entity/Log.java b/modules/core/src/main/java/com/jeesite/modules/sys/entity/Log.java
index 1b2b0fe0..1fa7f996 100644
--- a/modules/core/src/main/java/com/jeesite/modules/sys/entity/Log.java
+++ b/modules/core/src/main/java/com/jeesite/modules/sys/entity/Log.java
@@ -5,10 +5,12 @@ package com.jeesite.modules.sys.entity;
 
 import java.util.Map;
 
-import org.apache.commons.lang3.builder.ReflectionToStringBuilder;
-import org.hibernate.validator.constraints.Length;
 import javax.validation.constraints.NotBlank;
 
+import org.apache.commons.lang3.builder.ReflectionToStringBuilder;
+import org.hibernate.validator.constraints.Length;
+
+import com.jeesite.common.codec.EncodeUtils;
 import com.jeesite.common.collect.MapUtils;
 import com.jeesite.common.entity.BaseEntity;
 import com.jeesite.common.entity.DataEntity;
@@ -242,9 +244,15 @@ public class Log extends DataEntity<Log> {
 			if (StringUtils.endsWithIgnoreCase(param.getKey(), "password")){
 				params.append("*");
 			}else if (param.getValue() != null) {
-				params.append(StringUtils.abbr(StringUtils.join(param.getValue(), ","), 1000));
+				params.append(EncodeUtils.xssFilter(StringUtils.abbr(StringUtils.join(param.getValue(), ","), 1000)));
 			}
-			this.paramsMap.put(param.getKey(), param.getValue());
+			String[] values = param.getValue();
+			if (values != null) {
+				for (int i=0; i<values.length; i++) {
+					values[i] = EncodeUtils.xssFilter(values[i]);
+				}
+			}
+			this.paramsMap.put(param.getKey(), values);
 		}
 		this.requestParams = params.toString();
 	}