diff --git a/src/__tests__/index.test.ts b/src/__tests__/index.test.ts
index 22e1b68..c6a4e26 100644
--- a/src/__tests__/index.test.ts
+++ b/src/__tests__/index.test.ts
@@ -109,6 +109,8 @@ describe("sanitizeUrl", () => {
       " &#14; javascript:alert('XSS');",
       "javasc&Tab;ript: alert('XSS');",
       "javasc&#\u0000x09;ript:alert(1)",
+      "java&#38;&#38;&#35;78&#59;ewLine&#38;newline&#59;&#59;script&#58;alert&#40;&#39;XSS&#39;&#41;",
+      "java&&#78;ewLine&newline;;script:alert('XSS')",
     ];
 
     attackVectors.forEach((vector) => {
diff --git a/src/index.ts b/src/index.ts
index 49f1749..dd04813 100644
--- a/src/index.ts
+++ b/src/index.ts
@@ -24,12 +24,19 @@ export function sanitizeUrl(url?: string): string {
   if (!url) {
     return BLANK_URL;
   }
-
-  const sanitizedUrl = decodeHtmlCharacters(url)
-    .replace(htmlCtrlEntityRegex, "")
-    .replace(ctrlCharactersRegex, "")
-    .trim();
-
+  let charsToDecode;
+  let decodedUrl = url;
+  do {
+    decodedUrl = decodeHtmlCharacters(decodedUrl)
+      .replace(htmlCtrlEntityRegex, "")
+      .replace(ctrlCharactersRegex, "")
+      .trim();
+    charsToDecode =
+      decodedUrl.match(ctrlCharactersRegex) ||
+      decodedUrl.match(htmlEntitiesRegex) ||
+      decodedUrl.match(htmlCtrlEntityRegex);
+  } while (charsToDecode && charsToDecode.length > 0);
+  const sanitizedUrl = decodedUrl;
   if (!sanitizedUrl) {
     return BLANK_URL;
   }