# DOMPurify — Fast DOM-Only XSS Sanitizer for HTML
> A DOM-only, super-fast XSS sanitizer for HTML, MathML, and SVG content.
## Install
Save in your project root:
# DOMPurify — Fast DOM-Only XSS Sanitizer for HTML
## Quick Use
```bash
npm install dompurify
```
```js
import DOMPurify from 'dompurify';
const clean = DOMPurify.sanitize('
');
// => '
'
```
## Introduction
DOMPurify is a security library that sanitizes HTML, MathML, and SVG input to prevent cross-site scripting (XSS) attacks. Developed by the cure53 security research team, it uses the browser's own DOM parser to strip dangerous content while preserving safe markup. It is the most widely adopted HTML sanitizer in the JavaScript ecosystem.
## What DOMPurify Does
- Strips malicious HTML, JavaScript, and event handlers from user-supplied markup
- Preserves safe HTML elements and attributes by default
- Supports sanitization of HTML, MathML, and SVG content
- Provides hook-based customization for advanced filtering rules
- Works in browsers, Node.js (via jsdom), and server-side runtimes
## Architecture Overview
DOMPurify leverages the browser's native DOMParser or a supplied DOM implementation to parse input into a document tree. It then walks the tree, comparing each node and attribute against an allowlist. Dangerous elements like script tags, event handlers, and javascript: URIs are removed. This DOM-based approach avoids regex-based sanitization pitfalls and handles edge cases that trip up string-based sanitizers.
## Self-Hosting & Configuration
- Install via npm: `npm install dompurify`
- For Node.js, also install jsdom: `npm install jsdom`
- Configure allowed tags via `DOMPurify.sanitize(input, { ALLOWED_TAGS: ['b', 'i'] })`
- Add custom hooks with `DOMPurify.addHook('afterSanitizeAttributes', callback)`
- Use `RETURN_DOM` or `RETURN_DOM_FRAGMENT` options for DOM node output instead of strings
## Key Features
- Trusted by thousands of production applications for XSS prevention
- Under 10 KB minified and gzipped
- Full support for custom element allowlists and blocklists
- Hook system for fine-grained control over sanitization
- Handles mutation XSS attacks that bypass regex sanitizers
## Comparison with Similar Tools
- **sanitize-html** — regex and cheerio-based; DOMPurify uses native DOM parsing for better security
- **xss (npm)** — string-based filtering; DOMPurify handles more edge cases via DOM walking
- **Trusted Types API** — browser-native but requires DOMPurify or similar as the sanitizer policy
- **Bleach (Python)** — server-side equivalent for Python; DOMPurify covers JavaScript runtimes
## FAQ
**Q: Can I use DOMPurify on the server?**
A: Yes. Install jsdom and pass its window object to DOMPurify: `const clean = DOMPurify(window).sanitize(dirty);`
**Q: Does it handle SVG content?**
A: Yes. DOMPurify supports HTML, MathML, and SVG sanitization out of the box.
**Q: Can I allow specific attributes like data-* attributes?**
A: Yes. Use `ADD_ATTR: ['data-custom']` in the configuration object to permit additional attributes.
**Q: Is DOMPurify safe against mutation XSS?**
A: Yes. Its DOM-based approach and continuous security auditing by cure53 specifically target mutation XSS vectors.
## Sources
- https://github.com/cure53/DOMPurify
- https://github.com/cure53/DOMPurify/wiki
---
Source: https://tokrepo.com/en/workflows/asset-e746a029
Author: AI Open Source