I am using htmlpurifier library for sanitizing my incoming parameters. But it is not filtering null bytes (for e.g. %00). Am I missing something or the library does not support it? Will I be required to use a reg-ex? Thanks for any answers.
Edit:
I am using htmlpurifier with config options
$config = HTMLPurifier_Config::createDefault();
$config->set('Core', 'Encoding', "UTF-8");
$config->set('Cache', 'SerializerPath', "/webdirs/htmlpurify");
For the test string
';</script><%00script>alert(845122)</script>
I get the output
';<%00script>alert(845122)
As shown by HTMLPurifier/EncoderTest.php and HTMLPurifierTest.php, HTML Purifier does clean out null bytes:
$this->assertPurification("Null byte\0", "Null byte");
and
$this->assertCleanUTF8("null byte: \0", 'null byte: ');
Maybe you should post some code?
Edit: Your edit is slightly misleading; the actual output code is:
';&lt;%00script&gt;alert(845122)
which is just a string of plain text and perfectly safe. Percent-signs do not have special meaning in HTML.
If you would like to place a string in a URL, use urlencode().