Esta página se muestra en inglés. Una traducción al español está en curso.
ConfigsJul 7, 2026·3 min de lectura

DOMPurify — Fast DOM-Only XSS Sanitizer for HTML

A DOM-only, super-fast XSS sanitizer for HTML, MathML, and SVG content.

Listo para agents

Instalación lista para agent

Este activo puede instalarse después de elegir el runtime, revisar el plan y ejecutar el comando correspondiente.

Native · 98/100Política: permitir
Superficie agent
Cualquier agent MCP/CLI
Tipo
Skill
Instalación
Single
Confianza
Confianza: Established
Entrada
DOMPurify Overview
Comando de instalación directa
npx -y tokrepo@latest install e746a029-799d-11f1-9bc6-00163e2b0d79 --target codex

Ejecutar después de confirmar el plan con dry-run.

Introduction

DOMPurify is a security library that sanitizes HTML, MathML, and SVG input to prevent cross-site scripting (XSS) attacks. Developed by the cure53 security research team, it uses the browser's own DOM parser to strip dangerous content while preserving safe markup. It is the most widely adopted HTML sanitizer in the JavaScript ecosystem.

What DOMPurify Does

  • Strips malicious HTML, JavaScript, and event handlers from user-supplied markup
  • Preserves safe HTML elements and attributes by default
  • Supports sanitization of HTML, MathML, and SVG content
  • Provides hook-based customization for advanced filtering rules
  • Works in browsers, Node.js (via jsdom), and server-side runtimes

Architecture Overview

DOMPurify leverages the browser's native DOMParser or a supplied DOM implementation to parse input into a document tree. It then walks the tree, comparing each node and attribute against an allowlist. Dangerous elements like script tags, event handlers, and javascript: URIs are removed. This DOM-based approach avoids regex-based sanitization pitfalls and handles edge cases that trip up string-based sanitizers.

Self-Hosting & Configuration

  • Install via npm: npm install dompurify
  • For Node.js, also install jsdom: npm install jsdom
  • Configure allowed tags via DOMPurify.sanitize(input, { ALLOWED_TAGS: ['b', 'i'] })
  • Add custom hooks with DOMPurify.addHook('afterSanitizeAttributes', callback)
  • Use RETURN_DOM or RETURN_DOM_FRAGMENT options for DOM node output instead of strings

Key Features

  • Trusted by thousands of production applications for XSS prevention
  • Under 10 KB minified and gzipped
  • Full support for custom element allowlists and blocklists
  • Hook system for fine-grained control over sanitization
  • Handles mutation XSS attacks that bypass regex sanitizers

Comparison with Similar Tools

  • sanitize-html — regex and cheerio-based; DOMPurify uses native DOM parsing for better security
  • xss (npm) — string-based filtering; DOMPurify handles more edge cases via DOM walking
  • Trusted Types API — browser-native but requires DOMPurify or similar as the sanitizer policy
  • Bleach (Python) — server-side equivalent for Python; DOMPurify covers JavaScript runtimes

FAQ

Q: Can I use DOMPurify on the server? A: Yes. Install jsdom and pass its window object to DOMPurify: const clean = DOMPurify(window).sanitize(dirty);

Q: Does it handle SVG content? A: Yes. DOMPurify supports HTML, MathML, and SVG sanitization out of the box.

Q: Can I allow specific attributes like data- attributes?* A: Yes. Use ADD_ATTR: ['data-custom'] in the configuration object to permit additional attributes.

Q: Is DOMPurify safe against mutation XSS? A: Yes. Its DOM-based approach and continuous security auditing by cure53 specifically target mutation XSS vectors.

Sources

Discusión

Inicia sesión para unirte a la discusión.
Aún no hay comentarios. Sé el primero en compartir tus ideas.

Activos relacionados