explaingit

microcosm-cc/bluemonday

Analysis updated 2026-07-03

3,669GoAudience · developerComplexity · 2/5Setup · easy

TLDR

bluemonday is a Go library that cleans user-submitted HTML to prevent XSS attacks. You define a policy of allowed elements, and it strips everything not on the list.

Mindmap

mindmap
  root((repo))
    What it does
      Sanitizes HTML
      Blocks XSS attacks
      Policy-based rules
    Tech Stack
      Go language
      Single forward pass
    Use Cases
      Forum comments
      User profile bios
      Custom whitelists
    Audience
      Go developers
      Web app backends
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Clean user comments before displaying them on a page to block malicious scripts from running in visitors' browsers.

USE CASE 2

Strip all HTML from user-submitted titles or bios so only plain text appears.

USE CASE 3

Allow safe formatting like bold and links in user posts while blocking script, iframe, and style tags.

USE CASE 4

Build a custom whitelist policy with regex rules to match only the HTML your app needs.

What is it built with?

Go

How does it compare?

microcosm-cc/bluemondaygo-jet/jethoanhan101/algo
Stars3,6693,6693,669
LanguageGoGoGo
Setup difficultyeasymoderateeasy
Complexity2/53/51/5
Audiencedeveloperdeveloperdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · easy Time to first run · 5min

In plain English

bluemonday is a Go library that cleans up HTML before you display it on a web page. Its purpose is to prevent a type of attack called XSS (cross-site scripting), where a malicious user submits HTML or JavaScript that, if displayed unmodified, could run code in other visitors' browsers and steal data or cause harm. bluemonday removes anything dangerous and keeps only what you explicitly approve. The library works by letting you define a policy: a list of HTML elements and attributes that are safe to keep. You run user-submitted HTML through the policy, and it returns cleaned HTML with anything not on the approved list stripped out. For example, a script tag disguised as a CSS rule, or a link with a JavaScript event handler, gets removed entirely. A normal link to an external website passes through but gains a rel="nofollow" attribute, which is a safe default for user content. Two default policies are included. The strict policy removes all HTML entirely, leaving only plain text, which suits situations like page titles where no formatting should appear. The UGC policy (short for user-generated content) allows a broad selection of formatting elements such as bold, italic, tables, and images, while blocking anything that can execute code, like script, iframe, or style tags. If neither default fits, you can build a custom policy by specifying exactly which elements and attributes to allow, optionally using regular expressions to match values. The library is described as production-ready and is already in use by the maintainers' own platform. It is tested against a suite that includes cases originally developed for the OWASP Java HTML Sanitizer, a well-known reference implementation for this class of problem. The library is fast because it processes HTML in a single forward pass rather than building a full document tree. Installation is a single Go command. You create a policy once at startup, then call its Sanitize method as many times as needed. The same policy object is safe to use across multiple concurrent requests.

Copy-paste prompts

Prompt 1
Using the bluemonday Go library, write code to sanitize user-submitted HTML with the UGC policy and verify that script tags are removed.
Prompt 2
How do I create a custom bluemonday policy in Go that allows img tags but only when the src attribute starts with https?
Prompt 3
Show me how to use bluemonday's strict policy in a Go HTTP handler to strip all HTML from a form input before saving it to a database.
Prompt 4
Write a Go function that takes raw user HTML, runs it through a bluemonday UGC policy, and returns the safe output.

Frequently asked questions

What is bluemonday?

bluemonday is a Go library that cleans user-submitted HTML to prevent XSS attacks. You define a policy of allowed elements, and it strips everything not on the list.

What language is bluemonday written in?

Mainly Go. The stack also includes Go.

How hard is bluemonday to set up?

Setup difficulty is rated easy, with roughly 5min to a first successful run.

Who is bluemonday for?

Mainly developer.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Scan in gitsafehub Deploy in gitdeployhub microcosm-cc on gitmyhub

Verify against the repo before relying on details.