dompurify
Advanced tools
Package description
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML, and SVG. It helps prevent Cross-Site Scripting (XSS) attacks by sanitizing HTML content to ensure it's safe to insert into the DOM. It is written in JavaScript and works in all modern web browsers.
Sanitizing HTML strings
This feature allows you to sanitize HTML strings to prevent XSS attacks. The code sample demonstrates how to sanitize a string that contains a potentially malicious script. The result of this code would be a safe string with the malicious parts removed.
DOMPurify.sanitize('<img src=x onerror=alert(1)//>');Configuring the sanitizer
DOMPurify can be configured to allow certain tags, attributes, or schemes. In the code sample, the sanitizer is configured to allow only 'img' tags and will strip out any other tags, including scripts or event handlers.
DOMPurify.sanitize('<img src=x onerror=alert(1)//>', {ALLOWED_TAGS: ['img']});Hooking into sanitization
DOMPurify allows you to add hooks that can modify the content during the sanitization process. In the code sample, a hook is added that will be called after the attributes of all nodes have been sanitized, allowing for custom manipulation of the nodes.
DOMPurify.addHook('afterSanitizeAttributes', function(node) { /* manipulate node */ });sanitize-html is another HTML sanitizer that can clean up user-generated HTML, preventing XSS attacks. It is similar to DOMPurify but has a different API and set of defaults. It also allows for a high degree of customization in terms of what tags and attributes are allowed.
xss is a package that aims to filter input from users to prevent XSS attacks. It is similar to DOMPurify but includes different options and is more focused on filtering input as opposed to sanitizing existing HTML content.
js-xss is a whitelist-based HTML sanitizer. Like DOMPurify, it can prevent XSS attacks by sanitizing HTML content. It provides a different API and allows for customization of the whitelist to control which tags and attributes are considered safe.
FAQs
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Firefox and Chrome - as well as almost anything else usin
The npm package dompurify receives a total of 4,674,630 weekly downloads. As such, dompurify popularity was classified as popular.
We found that dompurify demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
The US Justice Department has penalized two consulting firms $11.3 million for failing to meet cybersecurity requirements on federally funded projects, emphasizing strict enforcement to protect sensitive government data.
Security News
ua-parser-js is set to drop the MIT license and adopt a controversial dual AGPLv3 + PRO licensing model in its upcoming v2.0 release, raising significant concerns among developers and enterprise users.
Security News
Researchers recently demonstrated that the npm Registry is vulnerable to cache poisoning combined with DoS, posing significant risks for package availability.