Filter null byte in request

Question

I am using htmlpurifier library for sanitizing my incoming parameters. But it is not filtering null bytes (for e.g. %00). Am I missing something or the library does not support it? Will I be required to use a reg-ex? Thanks for any answers.

Edit:

I am using htmlpurifier with config options

$config = HTMLPurifier_Config::createDefault();
$config->set('Core', 'Encoding', "UTF-8");
$config->set('Cache', 'SerializerPath', "/webdirs/htmlpurify");

For the test string

';</script><%00script>alert(845122)</script>

I get the output

';<%00script>alert(845122)

Answer 1

As shown by HTMLPurifier/EncoderTest.php and HTMLPurifierTest.php, HTML Purifier does clean out null bytes:

    $this->assertPurification("Null byte\0", "Null byte");

and

    $this->assertCleanUTF8("null byte: \0", 'null byte: ');

Maybe you should post some code?

Edit: Your edit is slightly misleading; the actual output code is:

';<%00script>alert(845122)

which is just a string of plain text and perfectly safe. Percent-signs do not have special meaning in HTML.

If you would like to place a string in a URL, use urlencode().

Answer 2

It looks like HTML Purifier is filtering this string correctly, IF it appears within Javascript code.

In Javascript, you want to filter out any occurences of a closing tag, such as </script> even when it appears within a Javascript string literal. Otherwise, injecting </script> into a string value can bypass some non-careful filters and break out of the Javascript string and into arbitrary HTML. HTML Purifier seems to have correctly filtered this by removing that "tag".

There is no harm having <%00script> in a literal string within Javascript, IF that is indeed the context in which it appears.

Note also that %00 is not actually a null byte or PHP, or in HTML, or a Javascript script. It is a percent sign followed by two zeroes. However, in a URL %00 might indeed be interpreted as a null byte and therefore %00 should be filtered out of URLs.