What does HackerNews think of DOMPurify?

DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks. Demo:

Language: JavaScript

#10 in HTML

#110 in JavaScript

#54 in Security

Ask HN: Is it time for a new Storybook? | Nov 2022

Coupled with DOMPurify [0], it helps much to simplify the messy JavaScript, HTML. Yin [1] has book on that.

[0]:https://github.com/cure53/DOMPurify [1]:https://leanpub.com/react-wagtail

A contentEditable, pasted garbage and caret placement walk into a pub | Jul 2021

I would highly recommend using DOMPurify over sanitize-html. It is a lot smaller in bundle size, it is also well maintained: https://github.com/cure53/DOMPurify

The author mentions to build their own sanitizer, which I would recommend against. Maybe for this use case (extracting a few b tags), it’d be fine, but as soon as links are involved: please stand on the shoulder of giants in order to prevent XSS.

Why is Stack Overflow trying to start audio? | Jun 2019

Expand Context ↕

> HTML based ads but no js (run it through DOMPurify https://github.com/cure53/DOMPurify)

Or use iframe.sandbox, which was designed for it. https://www.w3schools.com/tags/att_iframe_sandbox.asp