diff --git a/src/controllers/updateCell.js b/src/controllers/updateCell.js
index 3981266..ec81914 100644
--- a/src/controllers/updateCell.js
+++ b/src/controllers/updateCell.js
@@ -217,7 +217,7 @@ export function luckysheetupdateCell(row_index1, col_index1, d, cover, isnotfocu
     if((value == null || value.toString() == "") && !cover){
         value = "<br/>";
     }
-    
+    value = formula.xssDeal(value);
     if(!checkProtectionCellHidden(row_index, col_index, Store.currentSheetIndex) && value.length>0 && value.substr(0, 63)=='<span dir="auto" class="luckysheet-formula-text-color">=</span>'){
         $("#luckysheet-rich-text-editor").html("");
     }
diff --git a/src/global/formula.js b/src/global/formula.js
index 57f36cb..71fda9c 100755
--- a/src/global/formula.js
+++ b/src/global/formula.js
@@ -321,7 +321,11 @@ const luckysheetformula = {
             sheetmanage.changeSheetExec(_this.rangetosheet);
         }
     },
-    fucntionboxshow: function (r, c) {
+    xssDeal: function(str) {
+        if (typeof str !== 'string') return str;
+        return str.replace(/<script>/g, '&lt;script&gt;').replace(/<\/script>/, '&lt;/script&gt;');
+    },
+    fucntionboxshow: function(r, c) {
 
         if (!checkProtectionCellHidden(r, c, Store.currentSheetIndex)) {
             $("#luckysheet-functionbox-cell").html("");
@@ -346,7 +350,7 @@ const luckysheetformula = {
                 value = valueShowEs(r, c, d);
             }
         }
-
+        value = this.xssDeal(value);
         _this.oldvalue = value;
         $("#luckysheet-functionbox-cell").html(value);
     },
@@ -3331,11 +3335,11 @@ const luckysheetformula = {
             $editer = $input;
         let value1 = $editer.html(),
             value1txt = $editer.text();
-
-        setTimeout(function () {
+        let xssDeal = this.xssDeal
+        setTimeout(function() {
             let value = $editer.text(),
                 valuetxt = value;
-
+            value = xssDeal(value);
             if (value.length > 0 && value.substr(0, 1) == "=" && (kcode != 229 || value.length == 1)) {
                 value = _this.functionHTMLGenerate(value);
                 value1 = _this.functionHTMLGenerate(value1txt);
@@ -5942,4 +5946,4 @@ const luckysheetformula = {
     data_parm_index: 0  //选择公式后参数索引标记
 }
 
-export default luckysheetformula;
\ No newline at end of file
+export default luckysheetformula;