~/trending
~$CLAUDECO3.0%~$DOCLING0.8%~$CRUSH2.2%~$CONTEXT70.7%~$N8N0.4%~$GEMINICL0.4%~$TAILWIND0.4%~$GOOGLETE0.4%~$GOOSE0.5%~$VLLM0.3%~$CLAUDECO3.0%~$DOCLING0.8%~$CRUSH2.2%~$CONTEXT70.7%~$N8N0.4%~$GEMINICL0.4%~$TAILWIND0.4%~$GOOGLETE0.4%~$GOOSE0.5%~$VLLM0.3%
live
Navigate:
All ReposDOMPurify
~$DOMPUR0.1%

DOMPurify: XSS sanitizer for HTML, MathML, SVG

DOM-based XSS sanitizer using native browser parsing.

LIVE RANKINGS • 06:51 AM • STEADY
OVERALL
#143
28
SECURITY
#13
2
30 DAY RANKING TREND
ovr#143
·Secur#13
STARS
16.5K
FORKS
821
DOWNLOADS
15.0M
7D STARS
+15
7D FORKS
0
Tags:
Security
See Repo:
Share:

Learn more about DOMPurify

DOMPurify is a JavaScript library that sanitizes HTML, MathML, and SVG content to mitigate XSS vulnerabilities. It operates by parsing input strings through the browser's DOM implementation, leveraging native parsing and serialization mechanisms rather than regex-based approaches. The library supports modern browsers including Chrome, Firefox, Safari, and Edge, and can run server-side using Node.js with jsdom. Common use cases include sanitizing user-generated content, processing rich text input, and protecting against injection attacks in web applications.

1

Browser-Native DOM Parsing

Delegates HTML parsing to the browser's native DOM implementation instead of regex or string manipulation. Leverages the same security-tested parser used by the browser itself, avoiding common pitfalls of custom parsing logic.

2

Multi-Format Sanitization Support

Handles HTML, MathML, and SVG content through configurable profiles. Restricts sanitization scope per format via USE_PROFILES option, enabling targeted protection for specific markup types.

3

Configurable Hooks System

Provides hooks for customizing sanitization behavior at key processing stages. Developers can modify, inspect, or reject elements and attributes programmatically, enabling domain-specific security policies beyond default rules.

import DOMPurify from 'dompurify';

const userInput = '<img src=x onerror=alert(1)>Hello <b>World</b>';
const cleanHTML = DOMPurify.sanitize(userInput);

document.getElementById('content').innerHTML = cleanHTML;
// Output: Hello <b>World</b> (XSS removed)
v3.3.0

Maintenance release adds SVG mask-type attribute, function support for ADD_ATTR/ADD_TAGS, and fixes slot element duplication.

  • Pass functions to ADD_ATTR and ADD_TAGS config options for dynamic allow-list control at sanitization time.
  • SVG mask-type attribute now allowed by default; slot element duplication between SVG and HTML lists resolved.
v3.2.7

Security-focused patch improving CDATA handling and animated href checks; expands default allow-list and refines custom element hooks.

  • Review CDATA and textarea sanitization logic if you process user-supplied XML or raw-text elements.
  • Leverage new `tagName` parameter in `attributeNameCheck` hooks for custom element validation if needed.
v3.2.6

Hardens config against prototype pollution and removes script triggering false CVE-2025-48050; no breaking changes noted.

  • Update to eliminate false-positive CVE-2025-48050 alert caused by removed script.
  • Review custom configs for prototype pollution risks now mitigated by hardened validation.

See how people are using DOMPurify

Loading tweets...

Top in Security

1

ghidra

63,385
2

gitleaks

24,527
3

OSINT-Framework

10,468
4

spiderfoot

16,324
5

fail2ban

16,548
See all →

Trending Repos

1

claude-code

55,707#1
2

docling

49,545#2
3

crush

17,257#3
4

context7

41,389#4
5

n8n

167,709#5
See all →
[ EXPLORE MORE ]

Related Repositories

Discover similar tools and frameworks used by developers

subfinder

Passive subdomain discovery via DNS resolution and validation.

12,8301,493

fail2ban

Log-based intrusion prevention via dynamic firewall management.

16,5481,439

openssl

C-based cryptographic library implementing TLS, DTLS, and QUIC protocols.

29,34210,990

OSINT-Framework

Structured web catalog of free OSINT tools.

10,4681,703

CyberChef

Browser-based data transformation tool with chainable operations.

33,6853,812