I am using htmlpurifier library for sanitizing my incoming parameters. But it is not filtering null bytes (for e.g. %00). Am I missing something or the library does not support it? Will I be required to use a reg-ex? Thanks for any answers.
Edit:
I am using htmlpurifier with config options
$config = HTMLPurifier_Config::createDefault();
$config->set('Core', 'Encoding', "UTF-8");
$config->set('Cache', 'SerializerPath', "/webdirs/htmlpurify");
For the test string
';</script><%00script>alert(845122)</script>
I get the output
';<%00script>alert(845122)