diff --git a/lib/default.js b/lib/default.js
index cba0eed..77c007b 100644
--- a/lib/default.js
+++ b/lib/default.js
@@ -355,6 +355,16 @@ function stripCommentTag (html) {
 }
 var STRIP_COMMENT_TAG_REGEXP = /<!--[\s\S]*?-->/g;
 
+/**
+ * 去除不可见字符
+ *
+ * @param {String} html
+ * @return {String}
+ */
+function stripBlankChar (html) {
+  return html.replace(/[\u0000-\u001F]|\u007F/g, '');
+}
+
 
 exports.whiteList = whiteList;
 exports.onTag = onTag;
@@ -373,3 +383,4 @@ exports.escapeAttrValue = escapeAttrValue;
 exports.onIgnoreTagStripAll = onIgnoreTagStripAll;
 exports.StripTagBody = StripTagBody;
 exports.stripCommentTag = stripCommentTag;
+exports.stripBlankChar = stripBlankChar;
diff --git a/lib/xss.js b/lib/xss.js
index e82a2d8..0595d20 100644
--- a/lib/xss.js
+++ b/lib/xss.js
@@ -84,6 +84,9 @@ FilterXSS.prototype.process = function (html) {
   html = html.toString();
   if (!html) return '';
 
+  // 去除不可见字符
+  html = DEFAULT.stripBlankChar(html);
+
   var me = this;
   var options = me.options;
   var whiteList = options.whiteList;
diff --git a/test/test_xss.js b/test/test_xss.js
index 6433bb2..0c6dcd5 100644
--- a/test/test_xss.js
+++ b/test/test_xss.js
@@ -18,6 +18,9 @@ describe('test XSS', function () {
     assert.equal(xss(123), '123');
     assert.equal(xss({a: 1111}), '[object Object]');
 
+    // 清除不可见字符
+    assert.equal(xss('a\u0000\u0001\u0002b'), 'ab');
+
     // 过滤不在白名单的标签
     assert.equal(xss('<b>abcd</b>'), '<b>abcd</b>');
     assert.equal(xss('<o>abcd</o>'), '&lt;o&gt;abcd&lt;/o&gt;');