Dompurify

dompurify

Super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG!

DOMPurify sanitizes HTML and prevents XSS attacks.

|dirty HTML | => |DOMPurify.sanitize | => | Clean and safe HTML |

The faster your browser, the faster DOMPurify will be ;)

Install it: npm install --save dompurify

Sample usage:

1
2
3
4
5

var DOMpurify = require('dompurify);

DOMPurify.sanitize('<img src=x onerror=alert(1)//>'); // becomes <img src="x"> 

DOMPurify.sanitize('<svg><g/onload=alert(2)//<p>'); // becomes <svg><g></g></svg>

It's configurable: var config = { ALLOWED_TAGS: ['p', '#text'], KEEP_CONTENT: false }; and DOMPurify.sanitize(str, config)

We can also use hooks:

  • beforeSantitizeElements

  • afterSantitizeElements

  • beforeSantitizeAttributes

  • afterSantitizeAttributes

1
2
3
4

DOMPurify.addHook('beforeSantitizeElements', function(currentNode, config) {
    // Play with currentNode.
    return currentNode;
});

GIF FTW!

dompurify

Suggest a module

Comments