diff --git a/CHANGELOG.md b/CHANGELOG.md
index b542e70..0d594a6 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # CHANGELOG
 
+## UNRELEASED
+
+- Add additional null byte sanitization prior to html decoding (#48)
+
 ## 6.0.3
 
 - Add null check to beginning of `sanitizeUrl` function ([#54](https://github.com/braintree/sanitize-url/issues/54))
diff --git a/src/__tests__/index.test.ts b/src/__tests__/index.test.ts
index 6a31fa4..7823aa4 100644
--- a/src/__tests__/index.test.ts
+++ b/src/__tests__/index.test.ts
@@ -107,6 +107,7 @@ describe("sanitizeUrl", () => {
       "jav	ascript:alert('XSS');",
       "  javascript:alert('XSS');",
       "javasc	ript: alert('XSS');",
+      "javasc&#\u0000x09;ript:alert(1)",
     ];
 
     attackVectors.forEach((vector) => {
diff --git a/src/index.ts b/src/index.ts
index 663840a..8e5ef09 100644
--- a/src/index.ts
+++ b/src/index.ts
@@ -14,7 +14,8 @@ function isRelativeUrlWithoutProtocol(url: string): boolean {
 
 // adapted from https://stackoverflow.com/a/29824550/2601552
 function decodeHtmlCharacters(str: string) {
-  return str.replace(htmlEntitiesRegex, (match, dec) => {
+  const removedNullByte = str.replace(ctrlCharactersRegex, "");
+  return removedNullByte.replace(htmlEntitiesRegex, (match, dec) => {
     return String.fromCharCode(dec);
   });
 }