DOMPurify is a security-focused library designed to sanitize untrusted HTML input, preventing cross-site scripting attacks by stripping malicious code while preserving safe content. It functions as a utility for secure document object model manipulation, ensuring that user-provided rich text can be rendered safely within web applications.
The library distinguishes itself through a single-pass, mutation-observer-free processing model that operates on detached document fragments to avoid triggering unintended side effects. It employs recursive node traversal and context-aware logic to inspect and neutralize dangerous elements at any depth, validating all markup against a strictly defined allowlist of permitted tags and attributes.
Beyond basic sanitization, the project provides comprehensive support for browser-level security standards, including integration with trusted types policies. This ensures that sanitized output is compatible with modern security requirements, preventing the injection of unverified strings into sensitive document sinks. The library is available as a standalone package and includes a polyfill to maintain consistent security enforcement across different browser environments.
