cure53/dompurify

★ 16,994JavaScriptAudience · developerComplexity · 2/5Setup · easy

Mindmap

mindmap
  root((DOMPurify))
    What it does
      HTML sanitization
      XSS prevention
      One function call
    How it works
      Uses browser DOM parser
      Removes dangerous tags
      Customizable via hooks
    Where to use
      User comments
      Rich-text editors
      Third-party API content
    Tech
      JavaScript
      Node.js with jsdom
      SVG and MathML support

mindmap root((DOMPurify)) What it does HTML sanitization XSS prevention One function call How it works Uses browser DOM parser Removes dangerous tags Customizable via hooks Where to use User comments Rich-text editors Third-party API content Tech JavaScript Node.js with jsdom SVG and MathML support

Click or tap to explore — scroll the page freely

Things people build with this

USE CASE 1

Sanitize user-submitted comments or rich-text editor output before rendering them in a web page.

USE CASE 2

Clean HTML fetched from a third-party API or RSS feed before injecting it into the DOM.

USE CASE 3

Protect a Node.js server-side rendering pipeline from XSS in untrusted incoming content.

USE CASE 4

Allow only safe formatting tags while stripping scripts and event handlers from user input.

Tech stack

JavaScriptNode.jsjsdom

Getting it running

Difficulty · easy Time to first run · 5min

Server-side use with Node.js requires a DOM library like jsdom, always use a current jsdom version, outdated versions can reintroduce XSS holes.

License information is not mentioned in the repository description.

In plain English

DOMPurify is a JavaScript library that cleans up HTML before your website displays it, blocking a class of web attacks called XSS (cross-site scripting), where someone slips malicious code into content like a user comment so it runs in other visitors' browsers. You hand DOMPurify a string of untrusted HTML and it hands back a sanitized version with the dangerous bits removed. It is fast and easy to drop in. After including the script, sanitizing is one line: DOMPurify.sanitize(dirty). It accepts HTML, SVG and MathML by default, and you can narrow it down, for example, allow only plain HTML, through a profile setting. The cleaned result can then be written into the page normally. Internally it relies on the browser's own DOM engine to parse and inspect the content, which is what keeps it quick and accurate, the project calls itself a DOM-only, super-fast, uber-tolerant XSS sanitizer. Hooks let you customise the sanitization, and a removed property lists what was stripped, intended for curiosity rather than security decisions. DOMPurify runs in all modern browsers and also on the server with Node.js, but server use requires a DOM library such as jsdom, and the maintainers strongly recommend keeping that dependency current because older versions can reintroduce XSS holes. Tools like happy-dom are flagged as not currently safe to pair with it. Reach for DOMPurify whenever your app has to render HTML that came from somewhere you don't fully control: user-submitted content, third-party feeds, rich-text editors, or API responses. It is written by a security firm and inspired the browser-native HTML Sanitizer API. The full README is longer than what was provided.

Copy-paste prompts

Prompt 1

I have a rich text editor that saves HTML. Before showing it to other users, sanitize it with DOMPurify allowing only bold, italic, links, and paragraph tags, show me the code.

Prompt 2

I am fetching blog post content from a third-party API that returns HTML. Show me how to sanitize it with DOMPurify before injecting it into a React component.

Prompt 3

Set up DOMPurify in a Node.js Express app using jsdom so I can sanitize HTML on the server before saving it to my database.

Prompt 4

How do I use DOMPurify hooks to log what was stripped from user input without changing the sanitized output?

Open on GitHub → Explain another repo

← cure53 on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.