I am using htmlpurifier library for sanitizing my incoming parameters. But it is not

Question

0

Asked: May 15, 20262026-05-15T21:48:37+00:00 2026-05-15T21:48:37+00:00

I am using htmlpurifier library for sanitizing my incoming parameters. But it is not

0

I am using htmlpurifier library for sanitizing my incoming parameters. But it is not filtering null bytes (for e.g. %00). Am I missing something or the library does not support it? Will I be required to use a reg-ex? Thanks for any answers.

Edit:

I am using htmlpurifier with config options

$config = HTMLPurifier_Config::createDefault();
$config->set('Core', 'Encoding', "UTF-8");
$config->set('Cache', 'SerializerPath', "/webdirs/htmlpurify");

For the test string

';</script><%00script>alert(845122)</script>

I get the output

';<%00script>alert(845122)

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-15T21:48:38+00:00

As shown by HTMLPurifier/EncoderTest.php and HTMLPurifierTest.php, HTML Purifier does clean out null bytes:

    $this->assertPurification("Null byte\0", "Null byte");

and

    $this->assertCleanUTF8("null byte: \0", 'null byte: ');

Maybe you should post some code?

Edit: Your edit is slightly misleading; the actual output code is:

';&amp;lt;%00script&amp;gt;alert(845122)

which is just a string of plain text and perfectly safe. Percent-signs do not have special meaning in HTML.

If you would like to place a string in a URL, use urlencode().

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I am using htmlpurifier library for sanitizing my incoming parameters. But it is not

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply