@humanspeak/svelte-purify
Advanced tools
Safe HTML rendering for Svelte powered by DOMPurify. SSR-ready, browser-only entry, and edge-friendly options.
A tiny, friendly sanitizer for Svelte that keeps your HTML shiny and safe using DOMPurify. SSR-ready by default.
optionsnpm i -S @humanspeak/svelte-purify
# or
pnpm add @humanspeak/svelte-purify
# or
yarn add @humanspeak/svelte-purify
<script lang="ts">
import { SveltePurify } from '@humanspeak/svelte-purify'
const html = `<p>Hello <strong>world</strong><script>alert(1)</script></p>`
</script>
<SveltePurify {html} />
<SveltePurify {html} maxLength={120} />
You can render UI before and after the sanitized HTML. Each hook receives the sanitized HTML length as a number.
<script lang="ts">
import { SveltePurify } from '@humanspeak/svelte-purify'
const html = `<p><strong>Hello</strong> world!</p>`
</script>
<SveltePurify
{html}
preHtml={(len) => <>Sanitized length: {len}</>}
postHtml={(len) => <> • {len} chars</>}
/>
Pass any DOMPurify.sanitize options. We don’t hide anything—use the full power of DOMPurify.
<script lang="ts">
import { SveltePurify } from '@humanspeak/svelte-purify'
const html = `<a href="javascript:alert(1)" title="nope">click me</a>`
const options = {
ALLOWED_TAGS: ['a'],
ALLOWED_ATTR: ['href', 'title']
}
</script>
<SveltePurify {html} {options} />
Note: The component returns sanitized HTML as a string (not DOM nodes).
| Component | Prop | Type | Description |
|---|---|---|---|
SveltePurify | html | string | Raw HTML to sanitize and render |
options | Parameters<typeof DOMPurify.sanitize>[1] | DOMPurify options (all supported) | |
maxLength | number | If set, truncates the sanitized HTML string | |
preHtml | Snippet<[number]> | Renders before HTML; receives sanitized length | |
postHtml | Snippet<[number]> | Renders after HTML; receives sanitized length |
import { SveltePurify } from '@humanspeak/svelte-purify'
This library delegates sanitization to DOMPurify, a battle-tested sanitizer. It removes script tags, event handler attributes (like onerror), and unsafe URLs (javascript:), among many other protections.
Strip a specific tag with DOMPurify options:
<SveltePurify html="<p>Hello <strong>world</strong></p>" options={{ FORBID_TAGS: ['strong'] }} />
Allow an extra tag:
<SveltePurify
html="<iframe src=\"about:blank\"></iframe>"
options={{ ADD_TAGS: ['iframe'] }}
/>
MIT © Humanspeak, Inc.
Made with ❤️ by Humanspeak
Special thanks to @jill64 — her years of Svelte contributions taught me so much and inspired this work.
FAQs
Safe HTML rendering for Svelte powered by DOMPurify. SSR-ready, browser-only entry, and edge-friendly options.
The npm package @humanspeak/svelte-purify receives a total of 1,402 weekly downloads. As such, @humanspeak/svelte-purify popularity was classified as popular.
We found that @humanspeak/svelte-purify demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
/Research
Socket detected malicious node-ipc versions with obfuscated stealer/backdoor behavior in a developing npm supply chain attack.
Security News
TeamPCP and BreachForums are promoting a Shai-Hulud supply chain attack contest with a $1,000 prize for the biggest package compromise.
Security News
Packagist urges PHP projects to update Composer after a GitHub token format change exposed some GitHub Actions tokens in CI logs.