Configs2026年7月7日·1 分钟阅读

DOMPurify — Fast DOM-Only XSS Sanitizer for HTML

A DOM-only, super-fast XSS sanitizer for HTML, MathML, and SVG content.

Agent 就绪

Agent 可直接安装

这个资产可安装;Agent 先选择当前运行时、检查安装计划,再运行匹配命令。

Native · 98/100策略:允许
Agent 入口
任意 MCP/CLI Agent
类型
Skill
安装
Single
信任
信任等级:Established
入口
DOMPurify Overview
直接安装命令
npx -y tokrepo@latest install e746a029-799d-11f1-9bc6-00163e2b0d79 --target codex

先 dry-run 确认安装计划,再运行此命令。

Introduction

DOMPurify is a security library that sanitizes HTML, MathML, and SVG input to prevent cross-site scripting (XSS) attacks. Developed by the cure53 security research team, it uses the browser's own DOM parser to strip dangerous content while preserving safe markup. It is the most widely adopted HTML sanitizer in the JavaScript ecosystem.

What DOMPurify Does

  • Strips malicious HTML, JavaScript, and event handlers from user-supplied markup
  • Preserves safe HTML elements and attributes by default
  • Supports sanitization of HTML, MathML, and SVG content
  • Provides hook-based customization for advanced filtering rules
  • Works in browsers, Node.js (via jsdom), and server-side runtimes

Architecture Overview

DOMPurify leverages the browser's native DOMParser or a supplied DOM implementation to parse input into a document tree. It then walks the tree, comparing each node and attribute against an allowlist. Dangerous elements like script tags, event handlers, and javascript: URIs are removed. This DOM-based approach avoids regex-based sanitization pitfalls and handles edge cases that trip up string-based sanitizers.

Self-Hosting & Configuration

  • Install via npm: npm install dompurify
  • For Node.js, also install jsdom: npm install jsdom
  • Configure allowed tags via DOMPurify.sanitize(input, { ALLOWED_TAGS: ['b', 'i'] })
  • Add custom hooks with DOMPurify.addHook('afterSanitizeAttributes', callback)
  • Use RETURN_DOM or RETURN_DOM_FRAGMENT options for DOM node output instead of strings

Key Features

  • Trusted by thousands of production applications for XSS prevention
  • Under 10 KB minified and gzipped
  • Full support for custom element allowlists and blocklists
  • Hook system for fine-grained control over sanitization
  • Handles mutation XSS attacks that bypass regex sanitizers

Comparison with Similar Tools

  • sanitize-html — regex and cheerio-based; DOMPurify uses native DOM parsing for better security
  • xss (npm) — string-based filtering; DOMPurify handles more edge cases via DOM walking
  • Trusted Types API — browser-native but requires DOMPurify or similar as the sanitizer policy
  • Bleach (Python) — server-side equivalent for Python; DOMPurify covers JavaScript runtimes

FAQ

Q: Can I use DOMPurify on the server? A: Yes. Install jsdom and pass its window object to DOMPurify: const clean = DOMPurify(window).sanitize(dirty);

Q: Does it handle SVG content? A: Yes. DOMPurify supports HTML, MathML, and SVG sanitization out of the box.

Q: Can I allow specific attributes like data- attributes?* A: Yes. Use ADD_ATTR: ['data-custom'] in the configuration object to permit additional attributes.

Q: Is DOMPurify safe against mutation XSS? A: Yes. Its DOM-based approach and continuous security auditing by cure53 specifically target mutation XSS vectors.

Sources

讨论

登录后参与讨论。
还没有评论,来写第一条吧。

相关资产