Web アプリケーションにおける HTML サニタイズライブラリの選定
dompurify、sanitize-html、xss、xss-filters は、すべてユーザー入力された HTML コードから悪意のあるスクリプトを除去し、クロスサイトスクリプティング(XSS)攻撃を防ぐためのライブラリです。これらは、ブログのコメント機能、リッチテキストエディタ、または外部から取得した HTML コンテンツを安全に表示する必要がある場面で使用されます。各ライブラリは、実行環境(ブラウザか Node.js か)、設定の柔軟性、そしてメンテナンス状況において異なる特徴を持っています。
npmのダウンロードトレンド
GitHub Starsランキング
統計詳細
Web アプリケーションにおける HTML サニタイズライブラリの選定:DOMPurify vs sanitize-html vs xss vs xss-filters
ユーザーから受け取った HTML コンテンツをそのまま表示することは、セキュリティ上の重大なリスクとなります。悪意のあるユーザーが <script> タグやイベントハンドラを埋め込むことで、セッションハイジャックやデータ窃取を行うクロスサイトスクリプティング(XSS)攻撃が可能になるからです。dompurify、sanitize-html、xss、xss-filters はいずれもこの問題を解決するためのライブラリですが、そのアプローチと適した環境は大きく異なります。
🌍 実行環境:ブラウザか Node.js か
ライブラリを選ぶ際、最初に確認すべきは「どこで実行するか」です。クライアントサイドでサニタイズするか、サーバーサイドで行うかで選択肢が絞られます。
dompurify はブラウザの DOM API を直接利用して処理を行うため、ブラウザ環境での動作が最も最適化されています。Node.js 環境でも jsdom などを組み合わせることで動作可能ですが、本来の強みはクライアントサイドにあります。
// dompurify: ブラウザ環境での使用例
const clean = DOMPurify.sanitize('<img src=x onerror=alert(1)>');
// 結果:<img src="x">
sanitize-html は Node.js 環境向けに設計されており、ブラウザでの動作はサポートされていません。サーバー側で受信したデータを保存前にクリーンアップする用途に適しています。
// sanitize-html: Node.js 環境での使用例
const sanitizeHtml = require('sanitize-html');
const clean = sanitizeHtml('<img src=x onerror=alert(1)>');
// 結果:<img src="x" />
xss も同様に Node.js 環境(および一部のバンドル環境)を想定しています。軽量な実装であり、サーバーサイドのミドルウェアなどで手軽に利用されます。
// xss: Node.js 環境での使用例
const { filterXSS } = require('xss');
const clean = filterXSS('<img src=x onerror=alert(1)>');
// 結果:<img src="x">
xss-filters はかつて Yahoo によって開発されましたが、現在はメンテナンスが終了しています。技術的には Node.js とブラウザの両方で動作しましたが、現在は使用すべきではありません。
// xss-filters: 非推奨のため使用しないこと
// const xssFilters = require('xss-filters');
// const clean = xssFilters.inHTMLData('<img src=x onerror=alert(1)>');
⚙️ 設定の柔軟性とカスタマイズ
セキュリティポリシーはプロジェクトによって異なります。「すべてのタグを禁止したい」場合もあれば、「特定のクラス名は許可したい」場合もあります。各ライブラリの設定能力を比較します。
dompurify は、許可するタグや属性を配列で指定できます。また、フック機能を使用して、サニタイズ処理の前後に独自のロジックを挟むことが可能です。
// dompurify: 設定とフックの例
DOMPurify.sanitize(dirty, {
ALLOWED_TAGS: ['b', 'i', 'em', 'strong', 'a'],
ALLOWED_ATTR: ['href']
});
// フックを使用してリンクのターゲットを強制設定
DOMPurify.addHook('afterSanitizeAttributes', function(node) {
if (node.tagName === 'A') {
node.setAttribute('target', '_blank');
}
});
sanitize-html は非常に詳細な設定が可能です。タグごとの属性制限、CSS クラスのホワイトリスト、プロトコルの制限などを細かく定義できます。
// sanitize-html: 詳細な設定例
const clean = sanitizeHtml(dirty, {
allowedTags: ['b', 'i', 'em', 'strong', 'a'],
allowedAttributes: {
'a': ['href']
},
allowedSchemes: ['http', 'https']
});
xss は、デフォルトのホワイトリストモードと、完全にカスタマイズするモードを選択できます。カスタマイズ時は、タグごとの処理関数を定義することが可能です。
// xss: カスタマイズオプションの例
const clean = filterXSS(dirty, {
whiteList: {
a: ['href', 'title'],
b: []
},
onTag: function(tag, html, options) {
// 特定のタグを処理するカスタムロジック
}
});
xss-filters は、コンテキストに応じたフィルター関数(inHTMLData、inUnQuotedAttr など)を提供していました。しかし、開発者がコンテキストを手動で選択する必要があり、使い方を間違えるとセキュリティホールになるリスクがありました。
// xss-filters: 文脈による使い分けが必要だった(非推奨)
// const clean = xssFilters.inHTMLData(dirty);
// const cleanAttr = xssFilters.inUnQuotedAttr(dirty);
🛡️ セキュリティとメンテナンス状況
セキュリティライブラリにおいて、メンテナンス状況は機能以上に重要です。脆弱性が見つかった際に、迅速に修正されるかが鍵となります。
dompurify はセキュリティ研究コミュニティによって頻繁に監査されており、脆弱性が発見されても即座に修正される体制が整っています。多くの主要なプラットフォームで採用されている事実が、その信頼性を裏付けています。
sanitize-html も長年メンテナンスされており、安定しています。ただし、ブラウザの新しい機能に対する対応は dompurify に比べて遅れる傾向があります。サーバーサイド利用に限定すれば十分な安全性を確保できます。
xss は軽量さを売りにしており、基本的な XSS 対策には十分です。しかし、複雑な攻撃ベクターに対する防御力は dompurify ほど強固ではないという報告が過去に存在します。シンプルな用途に向いています。
xss-filters は 公式に非推奨(Deprecated) となっています。GitHub リポジトリはアーカイブされており、セキュリティ修正は行われません。これを使用し続けることは、既知の脆弱性を放置することと同義です。
// ⚠️ 警告: xss-filters は使用しないでください
// 代わりに dompurify または sanitize-html を選定してください
📊 実装の違いによる出力結果
同じ入力を与えた場合でも、ライブラリによって出力結果が異なることがあります。特にクォートの処理や、許可されていないタグの扱いに違いが出ます。
dompurify は、ブラウザのパーサーを基準にしているため、ブラウザでのレンダリング結果と整合性が取りやすいです。
// 入力:<a href="javascript:alert(1)">click</a>
// dompurify 出力:<a>click</a> (危険なプロトコルを除去)
sanitize-html は、サーバー側のパーサー(htmlparser2)を使用するため、ブラウザの挙動と微妙に異なる場合があります。特に自己閉じタグの扱いなどに注意が必要です。
// 入力:<a href="javascript:alert(1)">click</a>
// sanitize-html 出力:<a>click</a>
xss は、デフォルトで危険なプロトコルをフィルタリングしますが、設定によっては動作が変わります。
// 入力:<a href="javascript:alert(1)">click</a>
// xss 出力:<a href>click</a> (属性名は残るが値は消える設定もあり)
🌱 共通点:基本的な仕組み
これら 4 つのライブラリは、根本的なアプローチとして「ホワイトリスト方式」を採用しています。ブラックリスト(危険なものを除去)ではなく、安全なものを許可するリストに基づいて処理を行うことで、未知の攻撃パターンにも対抗します。
1. HTML パーシング
- すべて文字列を一度解析ツリーに変換してから処理を行います。
- 正規表現のみでの置換は行わず、構造を理解した上で除去を行います。
// どのライブラリも、単純な文字列置換ではない
// 例:'<scr' + 'ipt>' といった回避策も検知可能
2. 属性のフィルタリング
onclickなどのイベントハンドラはデフォルトで除去されます。style属性も、CSS インジェクションを防ぐために制限されることが多いです。
// 入力:<div onclick="evil()" style="background:url(evil)">text</div>
// 出力:<div>text</div> (イベントとスタイルが除去される)
3. プロトコルの検証
href属性のjavascript:やdata:URI は危険とみなされます。- 許可リスト(
http,https)に含まれないプロトコルは削除されます。
// 入力:<a href="javascript:void(0)">link</a>
// 出力:<a>link</a>
📌 選定ガイドまとめ
| 特徴 | dompurify | sanitize-html | xss | xss-filters |
|---|---|---|---|---|
| 主環境 | ブラウザ / Node.js | Node.js | Node.js | 両方(非推奨) |
| 設定性 | 高い | 非常に高い | 中 | 低 |
| メンテナンス | 活発 | 安定的 | 安定的 | 終了(非推奨) |
| 推奨度 | ⭐⭐⭐⭐⭐ | ⭐⭐⭐⭐ | ⭐⭐⭐ | ❌ |
💡 結論:どれを選ぶべきか
dompurify が、ほぼすべてのケースにおける最適解です。ブラウザで動作させる場合はもちろん、Node.js で使用する際も、その堅牢なセキュリティ実績から第一選択とするべきです。
sanitize-html は、サーバーサイドで複雑な HTML 構造を扱う場合や、dompurify の Node.js 環境での依存関係(jsdom など)を避けたい場合に有効な選択肢です。
xss は、非常に軽量な処理が求められる場合や、シンプルなフィルタリングで十分な場合に検討できます。
xss-filters は、セキュリティリスクが高いため、既存プロジェクトからも速やかに移行してください。
最終的なアドバイス:セキュリティライブラリは「設定して忘れる」ものではありません。定期的にアップデートを適用し、脆弱性情報を監視し続けることが、安全なアプリケーションを維持するための鍵となります。
選び方: dompurify vs sanitize-html vs xss vs xss-filters
- dompurify:
ブラウザ環境および Node.js 環境の両方で動作する、最も信頼性の高いライブラリです。セキュリティの勘定が厳しく、最新のブラウザ機能にも対応したい場合に選択します。コミュニティでの採用実績が圧倒的に多く、長期的なメンテナンスが保証されているため、新規プロジェクトの第一候補となります。
- sanitize-html:
Node.js サーバーサイドでの処理に特化しており、設定可能なオプションが非常に豊富です。許可するタグや属性を細かく制御したい場合や、サーバー側で事前に HTML をクリーンアップするパイプラインを構築する際に適しています。ブラウザでの動作は想定されていません。
- xss:
軽量で高速な処理を重視する Node.js 環境向けライブラリです。デフォルトのホワイトリスト設定が用意されており、追加の設定なしですぐに使い始めたい場合に便利です。ただし、
dompurifyに比べるとカスタマイズ性はやや劣ります。 - xss-filters:
このパッケージは公式に非推奨(Deprecated)となっており、新規プロジェクトでの使用は避けるべきです。セキュリティ上の修正が行われないリスクがあるため、既存プロジェクトでも
dompurifyやsanitize-htmlへの移行を検討してください。
人気の比較
dompurify のREADME
DOMPurify
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG.
It's also very simple to use and get started with. DOMPurify was started in February 2014 and, meanwhile, has reached version v3.4.7.
DOMPurify runs as JavaScript and works in all modern browsers (Safari (10+), Opera (15+), Edge, Firefox and Chrome - as well as almost anything else using Blink, Gecko or WebKit). It doesn't break on MSIE or other legacy browsers. It simply does nothing.
Note that DOMPurify v2.5.9 is the latest version supporting MSIE. For important security updates compatible with MSIE, please use the 2.x branch.
Our automated tests cover 9 browser/OS combinations (Chromium, Firefox, and WebKit across Ubuntu, macOS, and Windows) on every push, plus Node.js v20, v22, v24, v25 and v26 running DOMPurify on jsdom. Older Node versions are known to work as well, but hey... no guarantees.
DOMPurify is written by security people who have vast background in web attacks and XSS. Fear not. For more details please also read about our Security Goals & Threat Model. Please, read it. Like, really.
The DOMPurify project inspired the creation of the HTML Sanitizer API, which is already shipping in many browsers.
What does it do?
DOMPurify sanitizes HTML and prevents XSS attacks. You can feed DOMPurify with e.g. a string full of dirty HTML and it will return a string (unless configured otherwise) with clean HTML. DOMPurify will strip out everything that contains dangerous HTML and thereby prevent XSS attacks and other nastiness. It's also damn bloody fast. We use the technologies the browser provides and turn them into an XSS filter. The faster your browser, the faster DOMPurify will be.
How do I use it?
It's easy. Just include DOMPurify on your website.
Using the unminified version (source-map available)
<script type="text/javascript" src="dist/purify.js"></script>
Using the minified and tested production version (source-map available)
<script type="text/javascript" src="dist/purify.min.js"></script>
Afterwards you can sanitize strings by executing the following code:
const clean = DOMPurify.sanitize(dirty);
Or maybe this, if you love working with Angular or alike:
import DOMPurify from 'dompurify';
const clean = DOMPurify.sanitize('<b>hello there</b>');
The resulting HTML can be written into a DOM element using innerHTML or the DOM using document.write(). That is fully up to you.
Note that by default, we permit HTML, SVG and MathML. If you only need HTML, which might be a very common use-case, you can easily set that up as well:
const clean = DOMPurify.sanitize(dirty, { USE_PROFILES: { html: true } });
Is there any foot-gun potential?
Well, please note, if you first sanitize HTML and then modify it afterwards, you might easily void the effects of sanitization. If you feed the sanitized markup to another library after sanitization, please be certain that the library doesn't mess around with the HTML on its own.
Okay, makes sense, let's move on
After sanitizing your markup, you can also have a look at the property DOMPurify.removed and find out, what elements and attributes were thrown out. Please do not use this property for making any security critical decisions. This is just a little helper for curious minds.
Running DOMPurify on the server
DOMPurify technically also works server-side with Node.js. Our support strives to follow the Node.js release cycle.
Running DOMPurify on the server requires a DOM to be present, which is probably no surprise. Usually, jsdom is the tool of choice and we strongly recommend to use the latest version of jsdom.
Why? Because older versions of jsdom are known to be buggy in ways that result in XSS even if DOMPurify does everything 100% correctly. There are known attack vectors in, e.g. jsdom v19.0.0 that are fixed in jsdom v20.0.0 - and we really recommend to keep jsdom up to date because of that.
Please also be aware that tools like happy-dom exist but are not considered safe at this point. Combining DOMPurify with happy-dom is currently not recommended and will likely lead to XSS.
Other than that, you are fine to use DOMPurify on the server. Probably. This really depends on jsdom or whatever DOM you utilize server-side. If you can live with that, this is how you get it to work:
npm install dompurify
npm install jsdom
For jsdom (please use an up-to-date version), this should do the trick:
const createDOMPurify = require('dompurify');
const { JSDOM } = require('jsdom');
const window = new JSDOM('').window;
const DOMPurify = createDOMPurify(window);
const clean = DOMPurify.sanitize('<b>hello there</b>');
Or even this, if you prefer working with imports:
import { JSDOM } from 'jsdom';
import DOMPurify from 'dompurify';
const window = new JSDOM('').window;
const purify = DOMPurify(window);
const clean = purify.sanitize('<b>hello there</b>');
If you have problems making it work in your specific setup, consider looking at the amazing isomorphic-dompurify project which solves lots of problems people might run into.
npm install isomorphic-dompurify
import DOMPurify from 'isomorphic-dompurify';
const clean = DOMPurify.sanitize('<s>hello</s>');
Is there a demo?
Of course there is a demo! Play with DOMPurify
What if I find a security bug?
First of all, please immediately contact us via email so we can work on a fix. PGP key
Also, you probably qualify for a bug bounty! The fine folks over at Fastmail use DOMPurify for their services and added our library to their bug bounty scope. So, if you find a way to bypass or weaken DOMPurify, please also have a look at their website and the bug bounty info.
Some purification samples please?
How does purified markup look like? Well, the demo shows it for a big bunch of nasty elements. But let's also show some smaller examples!
DOMPurify.sanitize('<img src=x onerror=alert(1)//>'); // becomes <img src="https://raw.githubusercontent.com/cure53/DOMPurify/HEAD/x">
DOMPurify.sanitize('<svg><g/onload=alert(2)//<p>'); // becomes <svg><g></g></svg>
DOMPurify.sanitize('<p>abc<iframe//src=jAva	script:alert(3)>def</p>'); // becomes <p>abc</p>
DOMPurify.sanitize('<math><mi//xlink:href="data:x,<script>alert(4)</script>">'); // becomes <math><mi></mi></math>
DOMPurify.sanitize('<TABLE><tr><td>HELLO</tr></TABL>'); // becomes <table><tbody><tr><td>HELLO</td></tr></tbody></table>
DOMPurify.sanitize('<UL><li><A HREF=//google.com>click</UL>'); // becomes <ul><li><a href="https://github.com/cure53/DOMPurify/blob/HEAD///google.com">click</a></li></ul>
What is supported?
DOMPurify currently supports HTML5, SVG and MathML. DOMPurify per default allows CSS, HTML custom data attributes. DOMPurify also supports the Shadow DOM - and sanitizes DOM templates recursively. DOMPurify also allows you to sanitize HTML for being used with the jQuery $() and elm.html() API without any known problems.
What about legacy browsers like Internet Explorer?
DOMPurify does nothing at all. It simply returns exactly the string that you fed it. DOMPurify exposes a property called isSupported, which tells you whether it will be able to do its job, so you can come up with your own backup plan.
What about DOMPurify and Trusted Types?
In version 1.0.9, support for Trusted Types API was added to DOMPurify. In version 2.0.0, a config flag was added to control DOMPurify's behavior regarding this.
When DOMPurify.sanitize is used in an environment where the Trusted Types API is available and RETURN_TRUSTED_TYPE is set to true, it tries to return a TrustedHTML value instead of a string (the behavior for RETURN_DOM and RETURN_DOM_FRAGMENT config options does not change).
Note that in order to create a policy in trustedTypes using DOMPurify, RETURN_TRUSTED_TYPE: false is required, as createHTML expects a normal string, not TrustedHTML. The example below shows this.
window.trustedTypes.createPolicy('default', {
createHTML: (to_escape) =>
DOMPurify.sanitize(to_escape, { RETURN_TRUSTED_TYPE: false }),
});
Can I configure DOMPurify?
Yes. The included default configuration values are pretty good already - but you can of course override them. Check out the /demos folder to see a bunch of examples on how you can customize DOMPurify.
General settings
// strip {{ ... }}, ${ ... } and <% ... %> to make output safe for template systems
// be careful please, this mode is not recommended for production usage.
// allowing template parsing in user-controlled HTML is not advised at all.
// only use this mode if there is really no alternative.
const clean = DOMPurify.sanitize(dirty, { SAFE_FOR_TEMPLATES: true });
// change how e.g. comments containing risky HTML characters are treated.
// be very careful, this setting should only be set to `false` if you really only handle
// HTML and nothing else, no SVG, MathML or the like.
// Otherwise, changing from `true` to `false` will lead to XSS in this or some other way.
const clean = DOMPurify.sanitize(dirty, { SAFE_FOR_XML: false });
Control our allow-lists and block-lists
// allow only <b> elements, very strict
const clean = DOMPurify.sanitize(dirty, { ALLOWED_TAGS: ['b'] });
// allow only <b> and <q> with style attributes
const clean = DOMPurify.sanitize(dirty, {
ALLOWED_TAGS: ['b', 'q'],
ALLOWED_ATTR: ['style'],
});
// allow all safe HTML elements but neither SVG nor MathML
// note that the USE_PROFILES setting will override the ALLOWED_TAGS setting
// so don't use them together
const clean = DOMPurify.sanitize(dirty, { USE_PROFILES: { html: true } });
// allow all safe SVG elements and SVG Filters, no HTML or MathML
const clean = DOMPurify.sanitize(dirty, {
USE_PROFILES: { svg: true, svgFilters: true },
});
// allow all safe MathML elements and SVG, but no SVG Filters
const clean = DOMPurify.sanitize(dirty, {
USE_PROFILES: { mathMl: true, svg: true },
});
// change the default namespace from HTML to something different
const clean = DOMPurify.sanitize(dirty, {
NAMESPACE: 'http://www.w3.org/2000/svg',
});
// leave all safe HTML as it is and add <style> elements to block-list
const clean = DOMPurify.sanitize(dirty, { FORBID_TAGS: ['style'] });
// leave all safe HTML as it is and add style attributes to block-list
const clean = DOMPurify.sanitize(dirty, { FORBID_ATTR: ['style'] });
// extend the existing array of allowed tags and add <my-tag> to allow-list
const clean = DOMPurify.sanitize(dirty, { ADD_TAGS: ['my-tag'] });
// extend the existing array of allowed attributes and add my-attr to allow-list
const clean = DOMPurify.sanitize(dirty, { ADD_ATTR: ['my-attr'] });
// use functions to control which additional tags and attributes are allowed
const allowlist = {
one: ['attribute-one'],
two: ['attribute-two'],
};
const clean = DOMPurify.sanitize(
'<one attribute-one="1" attribute-two="2"></one><two attribute-one="1" attribute-two="2"></two>',
{
ADD_TAGS: (tagName) => {
return Object.keys(allowlist).includes(tagName);
},
ADD_ATTR: (attributeName, tagName) => {
return allowlist[tagName]?.includes(attributeName) || false;
},
}
); // <one attribute-one="1"></one><two attribute-two="2"></two>
// prohibit ARIA attributes, leave other safe HTML as is (default is true)
const clean = DOMPurify.sanitize(dirty, { ALLOW_ARIA_ATTR: false });
// prohibit HTML5 data attributes, leave other safe HTML as is (default is true)
const clean = DOMPurify.sanitize(dirty, { ALLOW_DATA_ATTR: false });
Control behavior relating to Custom Elements
// DOMPurify allows to define rules for Custom Elements. When using the CUSTOM_ELEMENT_HANDLING
// literal, it is possible to define exactly what elements you wish to allow (by default, none are allowed).
//
// The same goes for their attributes. By default, the built-in or configured allow.list is used.
//
// You can use a RegExp literal to specify what is allowed or a predicate, examples for both can be seen below.
// When using a predicate function for attributeNameCheck, it can optionally receive the tagName as a second parameter
// for more granular control over which attributes are allowed for specific elements.
// The default values are very restrictive to prevent accidental XSS bypasses. Handle with great care!
const clean = DOMPurify.sanitize(
'<foo-bar baz="foobar" forbidden="true"></foo-bar><div is="foo-baz"></div>',
{
CUSTOM_ELEMENT_HANDLING: {
tagNameCheck: null, // no custom elements are allowed
attributeNameCheck: null, // default / standard attribute allow-list is used
allowCustomizedBuiltInElements: false, // no customized built-ins allowed
},
}
); // <div is=""></div>
const clean = DOMPurify.sanitize(
'<foo-bar baz="foobar" forbidden="true"></foo-bar><div is="foo-baz"></div>',
{
CUSTOM_ELEMENT_HANDLING: {
tagNameCheck: /^foo-/, // allow all tags starting with "foo-"
attributeNameCheck: /baz/, // allow all attributes containing "baz"
allowCustomizedBuiltInElements: true, // customized built-ins are allowed
},
}
); // <foo-bar baz="foobar"></foo-bar><div is="foo-baz"></div>
const clean = DOMPurify.sanitize(
'<foo-bar baz="foobar" forbidden="true"></foo-bar><div is="foo-baz"></div>',
{
CUSTOM_ELEMENT_HANDLING: {
tagNameCheck: (tagName) => tagName.match(/^foo-/), // allow all tags starting with "foo-"
attributeNameCheck: (attr) => attr.match(/baz/), // allow all containing "baz"
allowCustomizedBuiltInElements: true, // allow customized built-ins
},
}
); // <foo-bar baz="foobar"></foo-bar><div is="foo-baz"></div>
// Example with attributeNameCheck receiving tagName as a second parameter
const clean = DOMPurify.sanitize(
'<element-one attribute-one="1" attribute-two="2"></element-one><element-two attribute-one="1" attribute-two="2"></element-two>',
{
CUSTOM_ELEMENT_HANDLING: {
tagNameCheck: (tagName) => tagName.match(/^element-(one|two)$/),
attributeNameCheck: (attr, tagName) => {
if (tagName === 'element-one') {
return ['attribute-one'].includes(attr);
} else if (tagName === 'element-two') {
return ['attribute-two'].includes(attr);
} else {
return false;
}
},
allowCustomizedBuiltInElements: false,
},
}
); // <element-one attribute-one="1"></element-one><element-two attribute-two="2"></element-two>
Control behavior relating to URI values
// extend the existing array of elements that can use Data URIs
const clean = DOMPurify.sanitize(dirty, { ADD_DATA_URI_TAGS: ['a', 'area'] });
// extend the existing array of elements that are safe for URI-like values (be careful, XSS risk)
const clean = DOMPurify.sanitize(dirty, { ADD_URI_SAFE_ATTR: ['my-attr'] });
Control permitted attribute values
// allow external protocol handlers in URL attributes (default is false, be careful, XSS risk)
// by default only http, https, ftp, ftps, tel, mailto, callto, sms, cid, xmpp and matrix are allowed.
const clean = DOMPurify.sanitize(dirty, { ALLOW_UNKNOWN_PROTOCOLS: true });
// allow specific protocol handlers in URL attributes via regex (default is false, be careful, XSS risk)
// by default only (protocol-)relative URLs, http, https, ftp, ftps, tel, mailto, callto, sms, cid, xmpp and matrix are allowed.
// Default RegExp: /^(?:(?:(?:f|ht)tps?|mailto|tel|callto|sms|cid|xmpp):|[^a-z]|[a-z+.\-]+(?:[^a-z+.\-:]|$))/i;
const clean = DOMPurify.sanitize(dirty, {
ALLOWED_URI_REGEXP:
/^(?:(?:(?:f|ht)tps?|mailto|tel|callto|sms|cid|xmpp|matrix):|[^a-z]|[a-z+.\-]+(?:[^a-z+.\-:]|$))/i,
});
Influence the return-type
// return a DOM HTMLBodyElement instead of an HTML string (default is false)
const clean = DOMPurify.sanitize(dirty, { RETURN_DOM: true });
// return a DOM DocumentFragment instead of an HTML string (default is false)
const clean = DOMPurify.sanitize(dirty, { RETURN_DOM_FRAGMENT: true });
// use the RETURN_TRUSTED_TYPE flag to turn on Trusted Types support if available
const clean = DOMPurify.sanitize(dirty, { RETURN_TRUSTED_TYPE: true }); // will return a TrustedHTML object instead of a string if possible
// use a provided Trusted Types policy
const clean = DOMPurify.sanitize(dirty, {
// supplied policy must define createHTML and createScriptURL
TRUSTED_TYPES_POLICY: trustedTypes.createPolicy('dompurify', {
createHTML(s) {
return s;
},
createScriptURL(s) {
return s;
},
}),
});
Influence how we sanitize
// return entire document including <html> tags (default is false)
const clean = DOMPurify.sanitize(dirty, { WHOLE_DOCUMENT: true });
// disable DOM Clobbering protection on output (default is true, handle with care, minor XSS risks here)
const clean = DOMPurify.sanitize(dirty, { SANITIZE_DOM: false });
// enforce strict DOM Clobbering protection via namespace isolation (default is false)
// when enabled, isolates the namespace of named properties (i.e., `id` and `name` attributes)
// from JS variables by prefixing them with the string `user-content-`
const clean = DOMPurify.sanitize(dirty, { SANITIZE_NAMED_PROPS: true });
// keep an element's content when the element is removed (default is true)
const clean = DOMPurify.sanitize(dirty, { KEEP_CONTENT: false });
// glue elements like style, script or others to document.body and prevent unintuitive browser behavior in several edge-cases (default is false)
const clean = DOMPurify.sanitize(dirty, { FORCE_BODY: true });
// remove all <a> elements under <p> elements that are removed
const clean = DOMPurify.sanitize(dirty, {
FORBID_CONTENTS: ['a'],
FORBID_TAGS: ['p'],
});
// extend the default FORBID_CONTENTS list to also remove <a> elements under <p> elements
const clean = DOMPurify.sanitize(dirty, {
ADD_FORBID_CONTENTS: ['a'],
FORBID_TAGS: ['p'],
});
// change the parser type so sanitized data is treated as XML and not as HTML, which is the default
const clean = DOMPurify.sanitize(dirty, {
PARSER_MEDIA_TYPE: 'application/xhtml+xml',
});
Influence where we sanitize
// use the IN_PLACE mode to sanitize a node "in place", which is much faster depending on how you use DOMPurify
const dirty = document.createElement('a');
dirty.setAttribute('href', 'javascript:alert(1)');
const clean = DOMPurify.sanitize(dirty, { IN_PLACE: true }); // see https://github.com/cure53/DOMPurify/issues/288 for more info
There is even more examples here, showing how you can run, customize and configure DOMPurify to fit your needs.
Persistent Configuration
Instead of repeatedly passing the same configuration to DOMPurify.sanitize, you can use the DOMPurify.setConfig method. Your configuration will persist until your next call to DOMPurify.setConfig, or until you invoke DOMPurify.clearConfig to reset it. Remember that there is only one active configuration, which means once it is set, all extra configuration parameters passed to DOMPurify.sanitize are ignored.
Hooks
DOMPurify allows you to augment its functionality by attaching one or more functions with the DOMPurify.addHook method to one of the following hooks:
beforeSanitizeElementsuponSanitizeElement(No 's' - called for every element)afterSanitizeElementsbeforeSanitizeAttributesuponSanitizeAttributeafterSanitizeAttributesbeforeSanitizeShadowDOMuponSanitizeShadowNodeafterSanitizeShadowDOM
It passes the currently processed DOM node, when needed a literal with verified node and attribute data and the DOMPurify configuration to the callback. Check out the MentalJS hook demo to see how the API can be used nicely.
Example:
DOMPurify.addHook(
'uponSanitizeAttribute',
function (currentNode, hookEvent, config) {
// Do something with the current node
// You can also mutate hookEvent for current node (i.e. set hookEvent.forceKeepAttr = true)
// For other than 'uponSanitizeAttribute' hook types hookEvent equals to null
}
);
Removed Configuration
| Option | Since | Note |
|---|---|---|
| SAFE_FOR_JQUERY | 2.1.0 | No replacement required. |
Continuous Integration
We are currently using GitHub Actions in combination with Playwright. This gives us the possibility to confirm for each and every commit that all is going according to plan in relevant modern browsers. Check out the build logs here: https://github.com/cure53/DOMPurify/actions
You can further run local tests by executing npm run test.
All relevant commits will be signed with the key 0x24BB6BF4 for additional security (since 8th of April 2016).
Development and contributing
Installation (npm i)
We support npm officially. GitHub Actions workflow is configured to install dependencies using npm. When using a deprecated version of npm, we cannot fully ensure the versions of installed dependencies, which might lead to unanticipated problems.
Scripts
We use ESLint via xo as part of our pre-commit workflow to help ensure code consistency. In addition, we use Prettier for source and Markdown formatting, and /dist assets are built through rollup.
These are our npm scripts:
npm run devto build the unminified UMD bundle while watching sources for changesnpm run testto lint the sources, run tests through jsdom, and run Karma tests in Chromenpm run test:jsdomto only run tests through jsdomnpm run test:browserto only run tests through Playwrightnpm run test:cito run the CI test flow for jsdom and Karma/BrowserStacknpm run test:fuzzto run a small fuzzer coveringsanitize()and CONFIG
npm run lintto lint the sources using ESLint via xonpm run formatto format JavaScript/TypeScript and Markdown sources with Prettiernpm run format:jsto only format JavaScript/TypeScript sourcesnpm run format:mdto only format Markdown files
npm run buildto build type declarations and distribution bundles, then fix and clean up generated typesnpm run build:typesto only emit TypeScript declaration filesnpm run build:rollupto build all Rollup bundlesnpm run build:umdto only build an unminified UMD bundlenpm run build:umd:minto only build a minified UMD bundlenpm run build:esto only build the ES module bundlenpm run build:cjsto only build the CommonJS bundlenpm run build:fix-typesto post-process generated type filesnpm run build:cleanupto clean up temporary generated type output
npm run verify-typescriptto run the TypeScript verification scriptnpm run commit-amend-buildto run the maintainer helper script for amending build output
Note: all run scripts triggered via npm run <script>.
There are more npm scripts but they are mainly to integrate with CI or are meant to be "private" for instance to amend build distribution files with every commit.
Security Mailing List
We maintain a mailing list that notifies whenever a security-critical release of DOMPurify was published. This means, if someone found a bypass and we fixed it with a release (which always happens when a bypass was found) a mail will go out to that list. This usually happens within minutes or a few hours after learning about a bypass. The list can be subscribed to here:
https://lists.ruhr-uni-bochum.de/mailman/listinfo/dompurify-security
Feature releases will not be announced to this list.
Who contributed?
Many people have helped DOMPurify become what it is today, and they deserve to be acknowledged!
offset, Bankde, lukewarlow, DEMON1A, fg0x0, kodareef5, DavidOliver, 1Jesper1, bencalif, trace37labs, eddieran, christos-eth, researchatfluidattacks, frevadiscor, Rotzbua, binhpv, MariusRumpf, prasadrajandran, Cybozu 💛💸, hata6502 💸, openclaw 💸, intra-mart-dh 💸, nelstrom ❤️, hash_kitten ❤️, kevin_mizu ❤️, icesfont ❤️, reduckted ❤️, dcramer 💸, JGraph 💸, baekilda 💸, Healthchecks 💸, Sentry 💸, jarrodldavis 💸, CynegeticIO, ssi02014 ❤️, GrantGryczan, Lowdefy, granlem, oreoshake, tdeekens ❤️, peernohell ❤️, is2ei, SoheilKhodayari, franktopel, NateScarlet, neilj, fhemberger, Joris-van-der-Wel, ydaniv, terjanq, filedescriptor, ConradIrwin, gibson042, choumx, 0xSobky, styfle, koto, tlau88, strugee, oparoz, mathiasbynens, edg2s, dnkolegov, dhardtke, wirehead, thorn0, styu, mozfreddyb, mikesamuel, jorangreef, jimmyhchan, jameydeorio, jameskraus, hyderali, hansottowirtz, hackvertor, freddyb, flavorjones, djfarrelly, devd, camerondunford, buu700, buildog, alabiaga, Vector919, Robbert, GreLI, FuzzySockets, ArtemBernatskyy, @garethheyes, @shafigullin, @mmrupp, @irsdl,ShikariSenpai, ansjdnakjdnajkd, @asutherland, @mathias, @cgvwzq, @robbertatwork, @giutro, @CmdEngineer_, @avr4mit, davecardwell and especially @securitymb ❤️ & @masatokinugawa ❤️