diff --git a/controllers/reply.js b/controllers/reply.js
index 1d8fb9d..3981cde 100644
--- a/controllers/reply.js
+++ b/controllers/reply.js
@@ -195,7 +195,7 @@ function get_reply_by_id(id, cb) {
         if (err) {
           return cb(err);
         }
-        reply.content = Showdown.parse(Util.escape(str));;
+        reply.content = Util.xss(Showdown.parse(str));
         return cb(err, reply);
       });
     });
@@ -250,7 +250,7 @@ function get_replies_by_topic_id(id, cb) {
             if (err) {
               return cb(err);
             }
-            replies[i].content = Showdown.parse(Util.escape(str));
+            replies[i].content = Util.xss(Showdown.parse(str));
             proxy.emit('reply_find');
           });
         });
diff --git a/controllers/topic.js b/controllers/topic.js
index 105eed6..cbbde23 100644
--- a/controllers/topic.js
+++ b/controllers/topic.js
@@ -59,7 +59,7 @@ exports.index = function (req, res, next) {
       if (err) {
         return ep.emit(err);
       }
-      topic.content = Showdown.parse(Util.escape(content));
+      topic.content = Util.xss(Showdown.parse(content));
       ep.emit('@user');
     });
   });
diff --git a/libs/util.js b/libs/util.js
index 6ac2282..42f7603 100644
--- a/libs/util.js
+++ b/libs/util.js
@@ -1,3 +1,5 @@
+var xss = require('xss');
+
 exports.format_date = function (date, friendly) {
   var year = date.getFullYear();
   var month = date.getMonth() + 1;
@@ -77,3 +79,13 @@ exports.escape = function(html){
   .replace(/^\n\n/, '')
   .replace(/\n\n$/, '');
 };
+
+/**
+ * 过滤XSS攻击代码
+ *
+ * @param {string} html
+ * @return {string}
+ */
+exports.xss = function (html) {
+  return xss(html);
+};
diff --git a/package.json b/package.json
index 26c5f37..ad98b20 100644
--- a/package.json
+++ b/package.json
@@ -12,7 +12,8 @@
     "validator": "0.3.7",
     "ndir": ">=0.1.3",
     "nodemailer": "0.3.5",
-    "data2xml": "0.4.0"
+    "data2xml": "0.4.0",
+    "xss": ">=0.0.2"
   },
   "devDependencies": {
     "should": "*",