diff --git a/application/admin/controller/Ajax.php b/application/admin/controller/Ajax.php
index 3513eb16..a1626c46 100644
--- a/application/admin/controller/Ajax.php
+++ b/application/admin/controller/Ajax.php
@@ -11,6 +11,7 @@ use think\Cache;
 use think\Config;
 use think\Db;
 use think\Lang;
+use think\Loader;
 use think\Response;
 use think\Validate;
 
@@ -47,9 +48,20 @@ class Ajax extends Backend
             $header['Expires'] = gmdate("D, d M Y H:i:s", time() + $offset) . " GMT";
         }
 
+        $controllername = $this->request->get('controllername');
+        $lang = $this->request->get('lang');
+        if (!$lang || !in_array($lang, config('allow_lang_list')) || !$controllername || !preg_match("/^[a-z0-9\.]+$/i", $controllername)) {
+            return jsonp(['errmsg' => '参数错误'], 200, [], ['json_encode_param' => JSON_FORCE_OBJECT | JSON_UNESCAPED_UNICODE]);
+        }
+
         $controllername = input("controllername");
-        //默认只加载了控制器对应的语言名，你还根据控制器名来加载额外的语言包
-        $this->loadlang($controllername);
+        $className = Loader::parseClass($this->request->module(), 'controller', $controllername, false);
+
+        //存在对应的类才加载
+        if (class_exists($className)) {
+            $this->loadlang($controllername);
+        }
+
         return jsonp(Lang::get(), 200, $header, ['json_encode_param' => JSON_FORCE_OBJECT | JSON_UNESCAPED_UNICODE]);
     }
 
diff --git a/application/index/controller/Ajax.php b/application/index/controller/Ajax.php
index 967f9077..3e1f24a1 100644
--- a/application/index/controller/Ajax.php
+++ b/application/index/controller/Ajax.php
@@ -4,6 +4,7 @@ namespace app\index\controller;
 
 use app\common\controller\Frontend;
 use think\Lang;
+use think\Loader;
 use think\Response;
 
 /**
@@ -31,8 +32,20 @@ class Ajax extends Frontend
             $header['Expires'] = gmdate("D, d M Y H:i:s", time() + $offset) . " GMT";
         }
 
+        $controllername = $this->request->get('controllername');
+        $lang = $this->request->get('lang');
+        if (!$lang || !in_array($lang, config('allow_lang_list')) || !$controllername || !preg_match("/^[a-z0-9\.]+$/i", $controllername)) {
+            return jsonp(['errmsg' => '参数错误'], 200, [], ['json_encode_param' => JSON_FORCE_OBJECT | JSON_UNESCAPED_UNICODE]);
+        }
+
         $controllername = input("controllername");
-        $this->loadlang($controllername);
+        $className = Loader::parseClass($this->request->module(), 'controller', $controllername, false);
+
+        //存在对应的类才加载
+        if (class_exists($className)) {
+            $this->loadlang($controllername);
+        }
+
         //强制输出JSON Object
         return jsonp(Lang::get(), 200, $header, ['json_encode_param' => JSON_FORCE_OBJECT | JSON_UNESCAPED_UNICODE]);
     }