diff --git a/shenyu-admin/src/main/resources/sql-script/h2/schema.sql b/shenyu-admin/src/main/resources/sql-script/h2/schema.sql
index ce1ba2ace8d6..fbb60f4080a9 100755
--- a/shenyu-admin/src/main/resources/sql-script/h2/schema.sql
+++ b/shenyu-admin/src/main/resources/sql-script/h2/schema.sql
@@ -505,13 +505,23 @@ INSERT IGNORE INTO `shenyu_dict` (`id`, `type`,`dict_code`, `dict_name`, `dict_v
INSERT IGNORE INTO `shenyu_dict` (`id`, `type`,`dict_code`, `dict_name`, `dict_value`, `desc`, `sort`, `enabled`) VALUES ('1572621976689762308', 'loadBalance', 'LOAD_BALANCE', 'p2c', 'p2c', 'p2c', 0, 1);
INSERT IGNORE INTO `shenyu_dict` (`id`, `type`,`dict_code`, `dict_name`, `dict_value`, `desc`, `sort`, `enabled`) VALUES ('1572621976689762309', 'loadBalance', 'LOAD_BALANCE', 'shortestResponse', 'shortestResponse', 'shortestResponse', 0, 1);
-/*plugin*/
+INSERT IGNORE INTO `shenyu_dict` (`id`, `type`,`dict_code`, `dict_name`, `dict_value`, `desc`, `sort`, `enabled`) VALUES ('1630761984393367554', 'request', 'request', 'enable', 'enable', '', 2, 1);
+INSERT IGNORE INTO `shenyu_dict` (`id`, `type`,`dict_code`, `dict_name`, `dict_value`, `desc`, `sort`, `enabled`) VALUES ('1630761984393367555', 'request', 'request', 'close', 'close', '', 1, 1);
+
+INSERT IGNORE INTO `shenyu_dict` (`id`, `type`,`dict_code`, `dict_name`, `dict_value`, `desc`, `sort`, `enabled`) VALUES ('1630761984393367556', 'response', 'response', 'enable', 'enable', '', 2, 1);
+INSERT IGNORE INTO `shenyu_dict` (`id`, `type`,`dict_code`, `dict_name`, `dict_value`, `desc`, `sort`, `enabled`) VALUES ('1630761984393367557', 'response', 'response', 'close', 'close', '', 1, 1);
+
+INSERT IGNORE INTO `shenyu_dict` (`id`, `type`,`dict_code`, `dict_name`, `dict_value`, `desc`, `sort`, `enabled`) VALUES ('1630761984393367558', 'cookie', 'ATTACK', 'enable', 'enable', '', 2, 1);
+INSERT IGNORE INTO `shenyu_dict` (`id`, `type`,`dict_code`, `dict_name`, `dict_value`, `desc`, `sort`, `enabled`) VALUES ('1630761984393367559', 'cookie', 'ATTACK', 'close', 'close', '', 1, 1);
+
+
INSERT IGNORE INTO `plugin` (`id`, `name`, `role`, `sort`, `enabled`) VALUES ('1','sign','Authentication', 20, '0');
INSERT IGNORE INTO `plugin` (`id`, `name`, `role`, `sort`,`config`,`enabled`) VALUES ('2','waf', 'Authentication', 50,'{"model":"black"}','0');
-INSERT IGNORE INTO `plugin` (`id`, `name`, `role`, `sort`, `enabled`) VALUES ('3','rewrite', 'HttpProcess', 90,'0');
-INSERT IGNORE INTO `plugin` (`id`, `name`, `role`, `sort`, `config`,`enabled`) VALUES ('4','rateLimiter','FaultTolerance', 60,'{"master":"mymaster","mode":"standalone","url":"192.168.1.1:6379","password":"abc"}', '0');
-INSERT IGNORE INTO `plugin` (`id`, `name`, `role`, `sort`, `config`,`enabled`) VALUES ('5','divide', 'Proxy', 200,'{"multiSelectorHandle":"1","multiRuleHandle":"0"}','1');
-INSERT IGNORE INTO `plugin` (`id`, `name`, `role`, `sort`, `config`,`enabled`) VALUES ('6','dubbo','Proxy', 310,'{"register":"zookeeper://localhost:2181","multiSelectorHandle":"1","threadpool":"shared","corethreads":0,"threads":2147483647,"queues":0}', '0');
+INSERT IGNORE INTO `plugin` (`id`, `name`, `role`, `sort`,`config`,`enabled`) VALUES ('3','xss', 'Authentication', 55,'{"request":"intercept","response":"close","cookie":"close"}','1');
+INSERT IGNORE INTO `plugin` (`id`, `name`, `role`, `sort`, `enabled`) VALUES ('4','rewrite', 'HttpProcess', 90,'0');
+INSERT IGNORE INTO `plugin` (`id`, `name`, `role`, `sort`, `config`,`enabled`) VALUES ('5','rateLimiter','FaultTolerance', 60,'{"master":"mymaster","mode":"standalone","url":"192.168.1.1:6379","password":"abc"}', '0');
+INSERT IGNORE INTO `plugin` (`id`, `name`, `role`, `sort`, `config`,`enabled`) VALUES ('6','divide', 'Proxy', 200,'{"multiSelectorHandle":"1","multiRuleHandle":"0"}','1');
+INSERT IGNORE INTO `plugin` (`id`, `name`, `role`, `sort`, `config`,`enabled`) VALUES ('7','dubbo','Proxy', 310,'{"register":"zookeeper://localhost:2181","multiSelectorHandle":"1","threadpool":"shared","corethreads":0,"threads":2147483647,"queues":0}', '0');
INSERT IGNORE INTO `plugin` (`id`, `name`, `role`, `sort`, `enabled`) VALUES ('8','springCloud','Proxy', 200, '0');
INSERT IGNORE INTO `plugin` (`id`, `name`, `role`, `sort`, `enabled`) VALUES ('9','hystrix', 'FaultTolerance', 130,'0');
INSERT IGNORE INTO `plugin` (`id`, `name`, `role`, `sort`, `enabled`) VALUES ('10','sentinel', 'FaultTolerance', 140,'0');
@@ -547,6 +557,11 @@ INSERT IGNORE INTO `plugin` (`id`, `name`, `role`, `sort`, `enabled`) VALUES ('4
INSERT IGNORE INTO `plugin` (`id`, `name`, `role`, `sort`, `config`, `enabled`) VALUES ('41', 'brpc', 'Proxy', 310,'{"address":"127.0.0.1","port":"8005","corethreads":0,"threads":2147483647,"queues":0,"threadpool":"shared"}','0');
/*insert plugin_handle data for sentinel*/
+INSERT IGNORE INTO plugin_handle (`id`, `plugin_id`,`field`,`label`,`data_type`,`type`,`sort`,`ext_obj`) VALUES ('1529402613204172963', '3', 'request', 'Request', 3, 3, 1, '{"required":"1","defaultValue":"enable","placeholder":"attack"}');
+INSERT IGNORE INTO plugin_handle (`id`, `plugin_id`,`field`,`label`,`data_type`,`type`,`sort`,`ext_obj`) VALUES ('1529402613204172964', '3', 'response', 'Response', 3, 3, 2, '{"required":"1","defaultValue":"close","placeholder":"attack"}');
+INSERT IGNORE INTO plugin_handle (`id`, `plugin_id`,`field`,`label`,`data_type`,`type`,`sort`,`ext_obj`) VALUES ('1529402613204172965', '3', 'cookie', 'Cookie', 3, 3, 3, '{"required":"1","defaultValue":"close","placeholder":"attack"}');
+
+
INSERT IGNORE INTO plugin_handle (`id`, `plugin_id`,`field`,`label`,`data_type`,`type`,`sort`,`ext_obj`) VALUES ('1529402613195784246', '10', 'flowRuleGrade', 'flowRuleGrade', 3, 2, 8, '{"required":"1","defaultValue":"1","rule":""}');
INSERT IGNORE INTO plugin_handle (`id`, `plugin_id`,`field`,`label`,`data_type`,`type`,`sort`,`ext_obj`) VALUES ('1529402613199978496', '10', 'flowRuleControlBehavior', 'flowRuleControlBehavior', 3, 2, 5, '{"required":"1","defaultValue":"0","rule":""}');
INSERT IGNORE INTO plugin_handle (`id`, `plugin_id`,`field`,`label`,`data_type`,`type`,`sort`,`ext_obj`) VALUES ('1529402613199978497', '10', 'flowRuleEnable', 'flowRuleEnable 1 or 0)', 1, 2, 7, '{"required":"1","defaultValue":"1","rule":"/^[01]$/"}');
diff --git a/shenyu-bootstrap/pom.xml b/shenyu-bootstrap/pom.xml
index 135a3f805678..9eafaca12540 100644
--- a/shenyu-bootstrap/pom.xml
+++ b/shenyu-bootstrap/pom.xml
@@ -64,6 +64,14 @@
+
+
+ org.apache.shenyu
+ shenyu-spring-boot-starter-plugin-xss
+ ${project.version}
+
+
+
org.apache.shenyu
diff --git a/shenyu-common/src/main/java/org/apache/shenyu/common/dto/convert/rule/XssHandle.java b/shenyu-common/src/main/java/org/apache/shenyu/common/dto/convert/rule/XssHandle.java
new file mode 100644
index 000000000000..e2552459c2e3
--- /dev/null
+++ b/shenyu-common/src/main/java/org/apache/shenyu/common/dto/convert/rule/XssHandle.java
@@ -0,0 +1,101 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.shenyu.common.dto.convert.rule;
+
+import java.util.Objects;
+
+/**
+ * this is Xss plugin handle.
+ */
+public class XssHandle {
+
+ /**
+ * permission.
+ */
+ private String permission;
+
+ /**
+ * statusCode.
+ */
+ private String statusCode;
+
+ /**
+ * get permission.
+ *
+ * @return permission
+ */
+ public String getPermission() {
+ return permission;
+ }
+
+ /**
+ * set permission.
+ *
+ * @param permission permission
+ */
+ public void setPermission(final String permission) {
+ this.permission = permission;
+ }
+
+ /**
+ * get statusCode.
+ *
+ * @return statusCode
+ */
+ public String getStatusCode() {
+ return statusCode;
+ }
+
+ /**
+ * set statusCode.
+ *
+ * @param statusCode statusCode
+ */
+ public void setStatusCode(final String statusCode) {
+ this.statusCode = statusCode;
+ }
+
+ @Override
+ public boolean equals(final Object o) {
+ if (this == o) {
+ return true;
+ }
+ if (o == null || getClass() != o.getClass()) {
+ return false;
+ }
+ XssHandle XssHandle = (XssHandle) o;
+ return Objects.equals(permission, XssHandle.permission) && Objects.equals(statusCode, XssHandle.statusCode);
+ }
+
+ @Override
+ public int hashCode() {
+ return Objects.hash(permission, statusCode);
+ }
+
+ @Override
+ public String toString() {
+ return "XssHandle{"
+ + "permission='"
+ + permission
+ + '\''
+ + ", statusCode='"
+ + statusCode
+ + '\''
+ + '}';
+ }
+}
diff --git a/shenyu-common/src/main/java/org/apache/shenyu/common/enums/PluginEnum.java b/shenyu-common/src/main/java/org/apache/shenyu/common/enums/PluginEnum.java
index 8e28218de6fb..1af74ca03f81 100644
--- a/shenyu-common/src/main/java/org/apache/shenyu/common/enums/PluginEnum.java
+++ b/shenyu-common/src/main/java/org/apache/shenyu/common/enums/PluginEnum.java
@@ -75,7 +75,12 @@ public enum PluginEnum {
* Waf plugin enum.
*/
WAF(50, 0, "waf"),
-
+
+ /**
+ * Xss plugin enum.
+ */
+ XSS(55, 0, "xss"),
+
/**
* Rate limiter plugin enum.
*/
diff --git a/shenyu-common/src/main/java/org/apache/shenyu/common/enums/XssEnum.java b/shenyu-common/src/main/java/org/apache/shenyu/common/enums/XssEnum.java
new file mode 100644
index 000000000000..bbb0a4356b28
--- /dev/null
+++ b/shenyu-common/src/main/java/org/apache/shenyu/common/enums/XssEnum.java
@@ -0,0 +1,51 @@
+package org.apache.shenyu.common.enums;
+
+/**
+ * xss enum.
+ */
+public enum XssEnum {
+
+
+ /**
+ * Reject xss enum.
+ */
+ REJECT(0, "reject"),
+
+ /**
+ * Allow xss enum.
+ */
+ ALLOW(1, "allow");
+
+ private final int code;
+
+ private final String name;
+
+ /**
+ * all args constructor.
+ *
+ * @param code code
+ * @param name name
+ */
+ XssEnum(final int code, final String name) {
+ this.code = code;
+ this.name = name;
+ }
+
+ /**
+ * get code.
+ *
+ * @return code
+ */
+ public int getCode() {
+ return code;
+ }
+
+ /**
+ * get name.
+ *
+ * @return name
+ */
+ public String getName() {
+ return name;
+ }
+}
diff --git a/shenyu-plugin/pom.xml b/shenyu-plugin/pom.xml
index fd9ad504bf0a..ddc6c849c6c0 100644
--- a/shenyu-plugin/pom.xml
+++ b/shenyu-plugin/pom.xml
@@ -65,5 +65,6 @@
shenyu-plugin-casdoor
shenyu-plugin-key-auth
shenyu-plugin-brpc
+ shenyu-plugin-xss
diff --git a/shenyu-plugin/shenyu-plugin-xss/pom.xml b/shenyu-plugin/shenyu-plugin-xss/pom.xml
new file mode 100644
index 000000000000..75bd1586ec14
--- /dev/null
+++ b/shenyu-plugin/shenyu-plugin-xss/pom.xml
@@ -0,0 +1,62 @@
+
+
+
+
+
+ org.apache.shenyu
+ shenyu-plugin
+ 2.6.0-SNAPSHOT
+
+ 4.0.0
+ shenyu-plugin-xss
+
+
+
+ org.apache.shenyu
+ shenyu-plugin-base
+ ${project.version}
+
+
+ org.apache.shenyu
+ shenyu-loadbalancer
+ ${project.version}
+
+
+ io.projectreactor
+ reactor-test
+ test
+
+
+ org.assertj
+ assertj-core
+ test
+
+
+ com.fasterxml.jackson.module
+ jackson-module-kotlin
+ test
+
+
+ org.springframework
+ spring-test
+ test
+
+
+
\ No newline at end of file
diff --git a/shenyu-plugin/shenyu-plugin-xss/src/main/java/org/apache/shenyu/plugin/xss/XssPlugin.java b/shenyu-plugin/shenyu-plugin-xss/src/main/java/org/apache/shenyu/plugin/xss/XssPlugin.java
new file mode 100644
index 000000000000..cd8a7491d3ad
--- /dev/null
+++ b/shenyu-plugin/shenyu-plugin-xss/src/main/java/org/apache/shenyu/plugin/xss/XssPlugin.java
@@ -0,0 +1,140 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.shenyu.plugin.xss;
+
+import org.apache.shenyu.common.dto.RuleData;
+import org.apache.shenyu.common.dto.SelectorData;
+import org.apache.shenyu.common.dto.convert.rule.XssHandle;
+import org.apache.shenyu.common.enums.PluginEnum;
+import org.apache.shenyu.common.utils.Singleton;
+import org.apache.shenyu.plugin.api.ShenyuPluginChain;
+import org.apache.shenyu.plugin.base.AbstractShenyuPlugin;
+import org.apache.shenyu.plugin.base.utils.CacheKeyUtils;
+import org.apache.shenyu.plugin.xss.config.XssConfig;
+import org.apache.shenyu.plugin.xss.handler.XssPluginDataHandler;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.http.HttpHeaders;
+import org.springframework.http.server.reactive.ServerHttpRequest;
+import org.springframework.http.server.reactive.ServerHttpResponse;
+import org.springframework.util.LinkedMultiValueMap;
+import org.springframework.util.MultiValueMap;
+import org.springframework.web.server.ServerWebExchange;
+import org.springframework.web.util.HtmlUtils;
+import org.springframework.web.util.UriComponentsBuilder;
+import reactor.core.publisher.Mono;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Objects;
+
+/**
+ * XSS plugin avoids common XSS attacks.
+ */
+public class XssPlugin extends AbstractShenyuPlugin {
+
+ private static final Logger LOG = LoggerFactory.getLogger(XssPlugin.class);
+
+
+ @Override
+ protected Mono doExecute(final ServerWebExchange exchange, final ShenyuPluginChain chain, final SelectorData selector, final RuleData rule) {
+ LOG.info("Xss plugin doExecute start.");
+
+ final XssConfig xssConfig = Singleton.INST.get(XssConfig.class);
+ XssHandle xssHandle = XssPluginDataHandler.CACHED_HANDLE.get().obtainHandle(CacheKeyUtils.INST.getKey(rule));
+
+ // Parameter attack
+ if (Objects.isNull(xssHandle)) {
+ LOG.error("xss handler can not configuration,skip.");
+ return chain.execute(exchange);
+ }
+ final HttpHeaders headers = exchange.getResponse().getHeaders();
+
+
+// ServerHttpRequest request = exchange.getRequest();
+// ServerWebExchange modifiedExchange = exchange.mutate()
+// .request(originalRequest -> originalRequest.uri(
+// UriComponentsBuilder.fromUri(exchange.getRequest()
+// .getURI())
+// .replaceQueryParams(parameterToHtml(request, xssHandle))
+// .build()
+// .encode()
+// .toUri()
+// )
+// ).build();
+
+ // Parameter attack
+
+
+ // CSP https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
+ if (!headers.containsKey("Content-Security-Policy")) {
+ headers.add("Content-Security-Policy", "script-src 'self'");
+ }
+ // CSP
+
+
+ // Cookie Http only
+ ServerHttpResponse response = exchange.getResponse();
+ List cookies = headers.get(HttpHeaders.SET_COOKIE);
+
+ if (cookies != null) {
+ final String cookieStr = String.join(",", cookies);
+ if (!cookieStr.contains("HttpOnly")) {
+ List newCookies = new ArrayList<>(cookies.size());
+ for (String cookie : cookies) {
+ if (cookie.contains("JSESSIONID")) {
+ newCookies.add(cookie + "; HttpOnly");
+ } else {
+ newCookies.add(cookie);
+ }
+ }
+ headers.put(HttpHeaders.SET_COOKIE, newCookies);
+ }
+ }
+ // Cookie Http only
+
+
+ LOG.info("Xss plugin doExecute end.");
+ return chain.execute(exchange);
+ }
+
+ private MultiValueMap parameterToHtml(final ServerHttpRequest request, final XssHandle xssHandle) {
+ MultiValueMap queryParams = new LinkedMultiValueMap<>(request.getQueryParams());
+
+ queryParams.forEach((k, v) -> {
+ final List newValues = new ArrayList<>();
+ for (final String value : v) {
+ newValues.add(HtmlUtils.htmlEscape(value));
+ }
+ queryParams.replace(k, newValues);
+ });
+ return queryParams;
+ }
+
+
+ @Override
+ public int getOrder() {
+ return PluginEnum.XSS.getCode();
+ }
+
+ @Override
+ public String named() {
+ return PluginEnum.XSS.getName();
+ }
+
+}
diff --git a/shenyu-plugin/shenyu-plugin-xss/src/main/java/org/apache/shenyu/plugin/xss/config/XssConfig.java b/shenyu-plugin/shenyu-plugin-xss/src/main/java/org/apache/shenyu/plugin/xss/config/XssConfig.java
new file mode 100644
index 000000000000..d650118eb88a
--- /dev/null
+++ b/shenyu-plugin/shenyu-plugin-xss/src/main/java/org/apache/shenyu/plugin/xss/config/XssConfig.java
@@ -0,0 +1,114 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.shenyu.plugin.xss.config;
+
+import java.io.Serializable;
+
+/**
+ * The type Xss config.
+ */
+public class XssConfig implements Serializable {
+
+ private static final long serialVersionUID = 96834909685183123L;
+
+ private String request;
+
+ private String response;
+
+ private String csp;
+
+ private String httpOnly;
+
+
+ /**
+ * get request.
+ *
+ * @return request
+ */
+ public String getRequest() {
+ return request;
+ }
+
+ /**
+ * set request.
+ *
+ * @param request request
+ */
+ public void setRequest(final String request) {
+ this.request = request;
+ }
+
+ /**
+ * get response.
+ *
+ * @return response
+ */
+ public String getResponse() {
+ return response;
+ }
+
+ /**
+ * set response.
+ *
+ * @param response response
+ */
+ public void setResponse(final String response) {
+ this.response = response;
+ }
+
+ /**
+ * get csp.
+ *
+ * @return csp
+ */
+ public String getCsp() {
+ return csp;
+ }
+
+ /**
+ * set csp.
+ *
+ * @param csp csp
+ */
+ public void setCsp(final String csp) {
+ this.csp = csp;
+ }
+
+ /**
+ * get httpOnly.
+ *
+ * @return httpOnly
+ */
+ public String getHttpOnly() {
+ return httpOnly;
+ }
+
+ /**
+ * set httpOnly.
+ *
+ * @param httpOnly httpOnly
+ */
+ public void setHttpOnly(final String httpOnly) {
+ this.httpOnly = httpOnly;
+ }
+
+//
+// public Boolean enableHttpOnly() {
+//
+// }
+}
diff --git a/shenyu-plugin/shenyu-plugin-xss/src/main/java/org/apache/shenyu/plugin/xss/handler/XssPluginDataHandler.java b/shenyu-plugin/shenyu-plugin-xss/src/main/java/org/apache/shenyu/plugin/xss/handler/XssPluginDataHandler.java
new file mode 100644
index 000000000000..c818dd670723
--- /dev/null
+++ b/shenyu-plugin/shenyu-plugin-xss/src/main/java/org/apache/shenyu/plugin/xss/handler/XssPluginDataHandler.java
@@ -0,0 +1,65 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.shenyu.plugin.xss.handler;
+
+import org.apache.shenyu.common.dto.PluginData;
+import org.apache.shenyu.common.dto.RuleData;
+import org.apache.shenyu.common.dto.convert.rule.XssHandle;
+import org.apache.shenyu.common.enums.PluginEnum;
+import org.apache.shenyu.common.utils.GsonUtils;
+import org.apache.shenyu.common.utils.Singleton;
+import org.apache.shenyu.plugin.base.cache.CommonHandleCache;
+import org.apache.shenyu.plugin.base.handler.PluginDataHandler;
+import org.apache.shenyu.plugin.base.utils.BeanHolder;
+import org.apache.shenyu.plugin.base.utils.CacheKeyUtils;
+import org.apache.shenyu.plugin.xss.config.XssConfig;
+
+import java.util.Optional;
+import java.util.function.Supplier;
+
+/**
+ * The type Xss plugin data handler.
+ */
+public class XssPluginDataHandler implements PluginDataHandler {
+
+ public static final Supplier> CACHED_HANDLE = new BeanHolder<>(CommonHandleCache::new);
+
+ @Override
+ public void handlerPlugin(final PluginData pluginData) {
+ XssConfig XssConfig = GsonUtils.getInstance().fromJson(pluginData.getConfig(), XssConfig.class);
+ Singleton.INST.single(XssConfig.class, XssConfig);
+ }
+
+ @Override
+ public void handlerRule(final RuleData ruleData) {
+ Optional.ofNullable(ruleData.getHandle()).ifPresent(s -> {
+ final XssHandle XssHandle = GsonUtils.getInstance().fromJson(s, XssHandle.class);
+ CACHED_HANDLE.get().cachedHandle(CacheKeyUtils.INST.getKey(ruleData), XssHandle);
+ });
+ }
+
+ @Override
+ public void removeRule(final RuleData ruleData) {
+ Optional.ofNullable(ruleData.getHandle()).ifPresent(s -> CACHED_HANDLE.get().removeHandle(CacheKeyUtils.INST.getKey(ruleData)));
+ }
+
+ @Override
+ public String pluginNamed() {
+ return PluginEnum.XSS.getName();
+ }
+}
diff --git a/shenyu-plugin/shenyu-plugin-xss/src/main/java/org/apache/shenyu/plugin/xss/utils/XSSUtils.java b/shenyu-plugin/shenyu-plugin-xss/src/main/java/org/apache/shenyu/plugin/xss/utils/XSSUtils.java
new file mode 100644
index 000000000000..d96c275a5e02
--- /dev/null
+++ b/shenyu-plugin/shenyu-plugin-xss/src/main/java/org/apache/shenyu/plugin/xss/utils/XSSUtils.java
@@ -0,0 +1,68 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.shenyu.plugin.xss.utils;
+
+import org.springframework.util.StringUtils;
+
+import java.util.regex.Pattern;
+
+/**
+ * xss utils.
+ */
+public final class XSSUtils {
+
+ private XSSUtils() {
+ }
+
+ private static final Pattern[] PATTERNS = {
+ // Avoid anything in a ", Pattern.CASE_INSENSITIVE),
+ // Avoid anything in a src='...' type of expression
+ Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
+ Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
+ // Remove any lonesome tag
+ Pattern.compile("", Pattern.CASE_INSENSITIVE),
+ // Avoid anything in a ", Pattern.CASE_INSENSITIVE),
+ // Remove any lonesome