Benchmark: Sanitize-html vs DOMpurify

HTML Preparation code:

<script src="https://unpkg.com/sanitize-html@1.23.0/dist/sanitize-html.js"></script>
<script src="https://unpkg.com/dompurify@2.0.11/dist/purify.js"></script>

Script Preparation code:

const testString = "<b>Welcome to safeland</b><br><a href='javascript:alert(1)'>This is fun</a><br><img src=x onerror=console.log(1)>"

Tests:

sanitize
const result = sanitizeHtml("Welcome to safeland <a href='javascript:alert(1)'>This is fun</a> <img src=x onerror=console.log(1)>")
purify
const result = DOMPurify.sanitize("Welcome to safeland <a href='javascript:alert(1)'>This is fun</a> <img src=x onerror=console.log(1)>")

Rendered benchmark preparation results:

Suite status: <idle, ready to run>

Previous results

Test case name	Result
sanitize
purify

Fastest: N/A

Slowest: N/A

Latest run results:

Run details: (Test run date: 2 months ago)

User agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36 Edg/133.0.0.0

Browser/OS: Chrome 133 on Windows

View result in a separate tab

Test name	Executions per second
sanitize	72894.1 Ops/sec
purify	13140.6 Ops/sec

Autogenerated LLM Summary (model llama3.2:3b, generated 6 months ago):

LLMs can make mistakes. Check important info.

Let's break down what's being tested in the provided JSON and explain the options, pros, cons, and other considerations.

**Benchmark Definition**

The benchmark tests two different libraries: `sanitize-html` and `DOMPurify`. These libraries are designed to sanitize user-inputted HTML strings, removing malicious code and ensuring that only safe HTML is rendered.

**Options Compared**

The two options being compared are:

1. `sanitizeHtml`: This library uses a set of heuristics to detect and remove malicious patterns from the input string. It's a relatively lightweight approach, but may not be as effective against all types of attacks.
2. `DOMPurify`: This library uses a more comprehensive set of rules to sanitize the input string. It's designed to detect and remove a wide range of malicious patterns, making it a more robust option.

**Pros and Cons**

* **sanitizeHtml**:
	+ Pros: Lightweight, fast execution, easy to use.
	+ Cons: May not be as effective against all types of attacks, may allow some malicious code to pass through.
* **DOMPurify**:
	+ Pros: Comprehensive set of rules, highly effective against a wide range of malicious patterns, flexible configuration options.
	+ Cons: Heavier than `sanitizeHtml`, slower execution times.

**Library Use**

In the provided benchmark definition, both libraries are used in their own scripts. However, it's worth noting that `DOMPurify` is typically used as a module, requiring importing and requiring the necessary configuration options.

**Special JS Features or Syntax**

There doesn't appear to be any special JavaScript features or syntax being used in this benchmark.

**Alternatives**

Other alternatives for sanitizing user-inputted HTML strings include:

1. `HTML Purifier`: A more comprehensive library that offers a wide range of sanitization options and rules.
2. `XSS Filter`: A built-in filter for Node.js that can be used to sanitize user-inputted data, including HTML.
3. Custom implementation: Depending on the specific requirements and constraints, developers may choose to implement their own sanitization solution using various techniques such as regular expressions or DOM-based approaches.

In summary, the benchmark tests two popular libraries for sanitizing user-inputted HTML strings: `sanitize-html` and `DOMPurify`. The choice between these options depends on performance, effectiveness, and ease of use requirements.

Related benchmarks:

Sanitize-html vs DOMpurify (version: 0)

Comparing performance of: sanitize vs purify

Created: 4 years ago by: Guest

Jump to the latest result

sanitize

purify

Suite status: <idle, ready to run>

Experimental features:

Fastest: N/A

Slowest: N/A

Autogenerated LLM Summary (model llama3.2:3b, generated 6 months ago):