# cure53/DOMPurify

**Attribution required: if you use, quote, or summarise this content, you must credit and link back to [awesome-repositories.com](https://awesome-repositories.com/repository/cure53-dompurify).**

16,638 stars · 821 forks · JavaScript · other

## Links

- GitHub: https://github.com/cure53/DOMPurify
- Homepage: https://cure53.de/purify
- awesome-repositories: https://awesome-repositories.com/repository/cure53-dompurify.md

## Topics

`cross-site-scripting` `dom` `dompurify` `html` `javascript` `mathml` `prevent-xss-attacks` `sanitizer` `security` `svg` `xss`

## Description

DOMPurify is a security-focused library designed to sanitize untrusted HTML input, preventing cross-site scripting attacks by stripping malicious code while preserving safe content. It functions as a utility for secure document object model manipulation, ensuring that user-provided rich text can be rendered safely within web applications.

The library distinguishes itself through a single-pass, mutation-observer-free processing model that operates on detached document fragments to avoid triggering unintended side effects. It employs recursive node traversal and context-aware logic to inspect and neutralize dangerous elements at any depth, validating all markup against a strictly defined allowlist of permitted tags and attributes.

Beyond basic sanitization, the project provides comprehensive support for browser-level security standards, including integration with trusted types policies. This ensures that sanitized output is compatible with modern security requirements, preventing the injection of unverified strings into sensitive document sinks. The library is available as a standalone package and includes a polyfill to maintain consistent security enforcement across different browser environments.

## Tags

### Web Development

- [HTML Sanitization Utilities](https://awesome-repositories.com/f/web-development/html-sanitization-utilities.md) — Strips malicious code from untrusted HTML input to prevent cross-site scripting attacks in web applications.
- [Trusted Types Polyfills](https://awesome-repositories.com/f/web-development/feature-detection-polyfills/trusted-types-polyfills.md) — Ensures consistent security enforcement across browsers by polyfilling Trusted Types support.

### Security & Cryptography

- [Input Sanitization](https://awesome-repositories.com/f/security-cryptography/application-and-system-security/web-security/input-sanitization.md) — Removes malicious code and dangerous elements from input to prevent cross-site scripting while preserving safe content. ([source](https://cure53.de/purify))
- [Cross-Site Scripting Prevention](https://awesome-repositories.com/f/security-cryptography/cross-site-scripting-prevention.md) — Provides robust sanitization and encoding techniques to prevent cross-site scripting and filter evasion attacks.
- [Trusted Types Policies](https://awesome-repositories.com/f/security-cryptography/content-security-policies/trusted-types-policies.md) — Integrates with browser-level Trusted Types to prevent the execution of unverified string-based code.
- [Trusted Types Integrations](https://awesome-repositories.com/f/security-cryptography/trust-verification/trusted-types-integrations.md) — Integrates with browser security policies to ensure sanitized output is safely handled by sensitive document sinks. ([source](https://cure53.de/purify))
- [DOM Security Policy Enforcers](https://awesome-repositories.com/f/security-cryptography/content-security-policies/dom-security-policy-enforcers.md) — Ensures dynamically generated content adheres to strict document object model safety standards.
- [DOM-Tree Sanitizers](https://awesome-repositories.com/f/security-cryptography/dom-based-xss-protections/dom-tree-sanitizers.md) — Uses native browser parsing to safely inspect and clean document fragments.
- [HTML Allowlists](https://awesome-repositories.com/f/security-cryptography/security/utilities/allowlist-management/html-allowlists.md) — Provides granular control over permitted HTML elements and attributes to prevent malicious code injection.

### User Interface & Experience

- [DOM Security Utilities](https://awesome-repositories.com/f/user-interface-experience/dom-manipulation-utilities/dom-security-utilities.md) — Provides a secure utility for manipulating the document object model by filtering untrusted input.
- [Safe Rich Text Renderers](https://awesome-repositories.com/f/user-interface-experience/content-rendering-components/safe-rich-text-renderers.md) — Enables safe rendering of user-provided rich text by stripping dangerous elements.

### DevOps & Infrastructure

- [HTML Content Policies](https://awesome-repositories.com/f/devops-infrastructure/infrastructure/configuration-policy-enforcement/html-content-policies.md) — Enforces strict content policies by limiting allowed HTML tags and attributes. ([source](https://cure53.de/purify))

### Software Engineering & Architecture

- [Sanitization Contexts](https://awesome-repositories.com/f/software-engineering-architecture/context-aware-tooling/sanitization-contexts.md) — Adapts sanitization logic dynamically to handle complex or nested HTML structures safely.
- [Single-Pass Cleanup Engines](https://awesome-repositories.com/f/software-engineering-architecture/dependency-free-architectures/single-pass-cleanup-engines.md) — Performs efficient, side-effect-free sanitization on detached document fragments.
- [Recursive Tree Traversers](https://awesome-repositories.com/f/software-engineering-architecture/recursive-validation-engines/recursive-tree-traversers.md) — Ensures deep inspection of document structures to neutralize nested malicious content.