diff --git a/bigbluebutton-web/grails-app/controllers/org/bigbluebutton/web/controllers/ApiController.groovy b/bigbluebutton-web/grails-app/controllers/org/bigbluebutton/web/controllers/ApiController.groovy
index 54803a19edb999e1512317507acafb1293341f43..38610fde2cd51ca160781ded3c022876784dcc63 100755
--- a/bigbluebutton-web/grails-app/controllers/org/bigbluebutton/web/controllers/ApiController.groovy
+++ b/bigbluebutton-web/grails-app/controllers/org/bigbluebutton/web/controllers/ApiController.groovy
@@ -245,6 +245,8 @@ class ApiController {
     // Do we have a name for the user joining? If none, complain.
     if (!StringUtils.isEmpty(params.fullName)) {
       params.fullName = StringUtils.strip(params.fullName);
+      // remove control characters ( sanitize )
+      params.fullName = params.fullName.replaceAll("\\p{Cntrl}", "");
       if (StringUtils.isEmpty(params.fullName)) {
         errors.missingParamError("fullName");
       }