DOMPurify: XSS sanitizer for HTML, MathML, SVG
DOM-based XSS sanitizer using native browser parsing.
Learn more about DOMPurify
DOMPurify is a JavaScript library that sanitizes HTML, MathML, and SVG content to mitigate XSS vulnerabilities. It operates by parsing input strings through the browser's DOM implementation, leveraging native parsing and serialization mechanisms rather than regex-based approaches. The library supports modern browsers including Chrome, Firefox, Safari, and Edge, and can run server-side using Node.js with jsdom. Common use cases include sanitizing user-generated content, processing rich text input, and protecting against injection attacks in web applications.
Browser-Native DOM Parsing
Delegates HTML parsing to the browser's native DOM implementation instead of regex or string manipulation. Leverages the same security-tested parser used by the browser itself, avoiding common pitfalls of custom parsing logic.
Multi-Format Sanitization Support
Handles HTML, MathML, and SVG content through configurable profiles. Restricts sanitization scope per format via USE_PROFILES option, enabling targeted protection for specific markup types.
Configurable Hooks System
Provides hooks for customizing sanitization behavior at key processing stages. Developers can modify, inspect, or reject elements and attributes programmatically, enabling domain-specific security policies beyond default rules.
import DOMPurify from 'dompurify';
const userInput = '<img src=x onerror=alert(1)>Hello <b>World</b>';
const cleanHTML = DOMPurify.sanitize(userInput);
document.getElementById('content').innerHTML = cleanHTML;
// Output: Hello <b>World</b> (XSS removed)Improves ADD_FORBID_CONTENTS setting functionality and corrects ESM import syntax.
- –Updated `ADDFORBIDCONTENTS` setting to extend default list
- –Updated the ESM import syntax to be more correct
Adds SVG mask-type attribute support and enables function parameters for ADD_ATTR and ADD_TAGS.
- –Added the SVG `mask-type` attribute to default allow-list
- –Added support for `ADDATTR` and `ADDTAGS` to accept functions
- –Fixed an issue with the `slot` element being in both SVG and HTML allow-list
Enhances security with improved CDATA handling and expanded default allow-lists.
- –Added new attributes and elements to default allow-list
- –Added `tagName` parameter to custom element `attributeNameCheck`
- –Added better check for animated `href` attributes
- –Updated and improved the bundled types
- –Updated several tests to better align with new browser encoding behaviors
See how people are using DOMPurify
Related Repositories
Discover similar tools and frameworks used by developers
Semgrep
Pattern-based code scanner for 30+ languages.
PentestGPT
AI-assisted Python framework for automated security testing.
uBO Lite
Manifest V3 content blocker using declarative rules without persistent background processes.
SpiderFoot
Python reconnaissance framework with 200+ OSINT modules.
DVWA
PHP/MariaDB training platform for web security exploitation practice.