cure53/DOMPurify: DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks. Demo:

10052
STARS
139
WATCHERS
623
FORKS
1
ISSUES

DOMPurify's Language Statistics

cure53's Other Repos

Star history of DOMPurify
Issue history of DOMPurify

DOMPurify Recent Issues

Issue Title State Comments Created Date Updated Date Closed Date
DomPurify adding head tag closed 8 2022-12-07 2022-12-07 2022-12-07
Error: Module "fs" has been externalized for browser compatibility [..] closed 2 2022-12-06 2022-12-07 2022-12-07
Sanitize removing "href" with value "file://" closed 1 2022-12-02 2022-12-07 2022-12-02
add configuration property to support custom components with no lowercase transformation open 14 2022-12-01 2022-12-07 -
DOMPurify.sanitize() doesn't work, in case of escaped tags closed 4 2022-11-24 2022-12-07 2022-11-24
use attributes only on specified tags closed 2 2022-11-21 2022-12-07 2022-12-01
Forbid nested element p > table closed 7 2022-11-16 2022-12-07 2022-11-17
Issue with sanitizing the SVG tags (<text>, <tspan>,...) closed 6 2022-11-16 2022-12-07 2022-11-17
thead tag content has been removed closed 1 2022-11-15 2022-12-07 2022-11-21
Support additional namespaces in XML documents closed 8 2022-11-04 2022-11-22 2022-11-10
Special characters converted (like ™ or german ß) closed 2 2022-11-03 2022-11-22 2022-11-09
Method Or Property To Strip Out InnerHTML or Children Of HTML closed 6 2022-11-01 2022-11-22 2022-11-10
XSS attack in mailto closed 1 2022-10-13 2022-11-22 2022-10-14
Sanitization removes valid scripts when attempting to prevent namespace xxs attacks closed 5 2022-10-03 2022-11-22 2022-10-05
DOMPurify license Issue closed 3 2022-09-21 2022-11-22 2022-09-21
Is there a way to keep id="body" in header tag ? closed 4 2022-09-15 2022-11-22 2022-09-15
<annotation> tags are always removed no matter what closed 3 2022-09-09 2022-11-22 2022-09-18
How can we use This lib in Java service side closed 1 2022-09-09 2022-11-22 2022-09-15
Unexpected SVG sanitization. closed 2 2022-09-01 2022-11-22 2022-09-09
RFE: DOMPurify should add polyfill for Element.setHTML() if native support is missing closed 1 2022-09-01 2022-11-22 2022-09-09
Self-closing tags in SVG closed 8 2022-08-30 2022-12-06 2022-09-01
Not able to sanitize dirty string closed 1 2022-08-25 2022-11-22 2022-08-27
Bundled types are not as well typed as DT types closed 13 2022-08-23 2022-12-06 2022-08-24
Version 2.3.11 not backward compatible closed 9 2022-08-23 2022-11-22 2022-08-23
DOMPurify remove script tag even if script tag allowed closed 8 2022-08-18 2022-11-22 2022-08-23
Chrome: sanitizing `referrer` meta tag still applies the referrer policy closed 1 2022-08-09 2022-11-22 2022-08-13
DOMPurify remove attribute with specific value. closed 4 2022-08-08 2022-11-22 2022-08-10
DOMPurify strips off attributes with self-closing tags closed 1 2022-08-05 2022-11-22 2022-08-09
How to import DOMPurify as an ECMAScript module from TypeScript? closed 12 2022-08-03 2022-11-22 2022-08-23
High CPU Utilisation observed closed 5 2022-08-03 2022-11-22 2022-08-03
Foot-gun question: Can I HTML encode for caret brackets and '&' after sanitizing using DOMPurify? closed 1 2022-07-25 2022-11-22 2022-08-03
Suggest incule `target` to `DEFAULT_URI_SAFE_ATTRIBUTES` closed 3 2022-07-18 2022-11-22 2022-07-18
Requesting clarification on the SAFE_FOR_TEMPLATES option closed 2 2022-07-14 2022-11-22 2022-08-03
[Question] How to replace <\p> by a \n ? closed 0 2022-07-04 2022-11-22 2022-07-05
Comments inside <style> tag closed 1 2022-06-20 2022-12-01 2022-06-27
Support for Node and TypeScript closed 17 2022-05-27 2022-11-22 2022-08-23
Filter <img src> URLs separately than <a href> closed 2 2022-05-25 2022-11-22 2022-05-31
Bug in CUSTOM_ELEMENT_HANDLING closed 5 2022-05-17 2022-11-22 2022-05-18
<style> tag doesn't sanitize if there is any text before closed 5 2022-05-13 2022-11-22 2022-05-18
Release 2.3.7: purify.js in dist-folder is still on 2.3.6 closed 2 2022-05-13 2022-11-22 2022-05-13
Attributes with value of "target" is getting stripped closed 1 2022-05-04 2022-11-22 2022-05-10
Why are annotation and semantics MathML tags forbidden? closed 4 2022-04-22 2022-12-04 2022-04-24
Can I keep the 'src' attribute in my <img> tags? closed 2 2022-04-16 2022-11-22 2022-04-22
Can this be shipped with firefox/chrome extension? closed 1 2022-04-15 2022-11-22 2022-04-16
Direct JavaScript Method Checks! closed 2 2022-04-12 2022-11-22 2022-04-24
#document-fragment treated as forbidden root node. closed 8 2022-03-16 2022-11-22 2022-03-23
DOMPurify fails on sanitization of Trusted Types sink attributes closed 8 2022-03-07 2022-11-22 2022-04-02
Data attribute get's stripped when it contains a string ending in /> closed 2 2022-03-03 2022-11-22 2022-03-04
[Question] Can hooks be used on a per-call basis? closed 4 2022-03-03 2022-11-22 2022-03-07
DOMPurify copies slots/children outside of custom elements closed 3 2022-02-11 2022-11-22 2022-02-13