Analysis updated 2026-07-03
Clean user comments before displaying them on a page to block malicious scripts from running in visitors' browsers.
Strip all HTML from user-submitted titles or bios so only plain text appears.
Allow safe formatting like bold and links in user posts while blocking script, iframe, and style tags.
Build a custom whitelist policy with regex rules to match only the HTML your app needs.
| microcosm-cc/bluemonday | go-jet/jet | hoanhan101/algo | |
|---|---|---|---|
| Stars | 3,669 | 3,669 | 3,669 |
| Language | Go | Go | Go |
| Setup difficulty | easy | moderate | easy |
| Complexity | 2/5 | 3/5 | 1/5 |
| Audience | developer | developer | developer |
Figures from each repo's GitHub metadata at analysis time.
bluemonday is a Go library that cleans up HTML before you display it on a web page. Its purpose is to prevent a type of attack called XSS (cross-site scripting), where a malicious user submits HTML or JavaScript that, if displayed unmodified, could run code in other visitors' browsers and steal data or cause harm. bluemonday removes anything dangerous and keeps only what you explicitly approve. The library works by letting you define a policy: a list of HTML elements and attributes that are safe to keep. You run user-submitted HTML through the policy, and it returns cleaned HTML with anything not on the approved list stripped out. For example, a script tag disguised as a CSS rule, or a link with a JavaScript event handler, gets removed entirely. A normal link to an external website passes through but gains a rel="nofollow" attribute, which is a safe default for user content. Two default policies are included. The strict policy removes all HTML entirely, leaving only plain text, which suits situations like page titles where no formatting should appear. The UGC policy (short for user-generated content) allows a broad selection of formatting elements such as bold, italic, tables, and images, while blocking anything that can execute code, like script, iframe, or style tags. If neither default fits, you can build a custom policy by specifying exactly which elements and attributes to allow, optionally using regular expressions to match values. The library is described as production-ready and is already in use by the maintainers' own platform. It is tested against a suite that includes cases originally developed for the OWASP Java HTML Sanitizer, a well-known reference implementation for this class of problem. The library is fast because it processes HTML in a single forward pass rather than building a full document tree. Installation is a single Go command. You create a policy once at startup, then call its Sanitize method as many times as needed. The same policy object is safe to use across multiple concurrent requests.
bluemonday is a Go library that cleans user-submitted HTML to prevent XSS attacks. You define a policy of allowed elements, and it strips everything not on the list.
Mainly Go. The stack also includes Go.
Setup difficulty is rated easy, with roughly 5min to a first successful run.
Mainly developer.
This repo across BitVibe Labs
Verify against the repo before relying on details.