Toggle navigation
MeasureThat.net
Create a benchmark
Tools
Feedback
FAQ
Register
Log In
sanitize-html vs nothing
(version: 0)
Comparing performance of:
DOMPurify vs Sanitize HTML
Created:
4 years ago
by:
Guest
Jump to the latest result
HTML Preparation code:
<script src="https://cdnjs.cloudflare.com/ajax/libs/sanitize-html/1.27.5/sanitize-html.min.js"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/dompurify/2.2.7/purify.min.js"></script>
Tests:
DOMPurify
const testString = `aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa` const result = testString console.log(result)
Sanitize HTML
const testString = ` <b>Welcome to safeland</b><br> <a href='javascript:alert(1)'>This is fun</a><br> <img src=x onerror=console.log(1)> ` const result = sanitizeHtml(testString) console.log(result)
Rendered benchmark preparation results:
Suite status:
<idle, ready to run>
Run tests (2)
Previous results
Fork
Test case name
Result
DOMPurify
Sanitize HTML
Fastest:
N/A
Slowest:
N/A
Latest run results:
Run details:
(Test run date:
one year ago
)
User agent:
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36
Browser/OS:
Chrome 135 on Windows
View result in a separate tab
Embed
Embed Benchmark Result
<iframe src="https://measurethat.net/Embed?id=602201" width="100%" height="500px"></iframe>
Test name
Executions per second
DOMPurify
237768.9 Ops/sec
Sanitize HTML
31575.4 Ops/sec
Autogenerated LLM Summary
(model
llama3.2:3b
, generated one year ago):
Let's break down the provided benchmark definitions and options. **Options being compared:** In the first test case, `DOMPurify` is being tested against a "Nothing" approach (no sanitization). The two approaches being compared are: 1. **DOMPurify**: A library that removes or escapes HTML tags from input strings to prevent XSS attacks. 2. **Nothing**: No sanitization is applied, which means the input string is not modified. Pros of using `DOMPurify`: * Provides robust protection against XSS attacks * Easy to use and configure Cons of using `DOMPurify`: * May introduce unnecessary overhead or performance penalties * Can be slower than no sanitization for simple cases Pros of "Nothing" approach: * No additional overhead or performance penalties * Faster execution times for simple cases Cons of the "Nothing" approach: * Leaves input strings vulnerable to XSS attacks **Second test case:** In this test case, `Sanitize HTML` is being compared against no sanitization. The two approaches being compared are: 1. **Sanitize HTML**: A library that removes or escapes HTML tags from input strings while preserving some syntax and structure. 2. **Nothing**: No sanitization is applied. Pros of using `Sanitize HTML`: * Preserves some original syntax and structure while removing malicious code * May be faster than `DOMPurify` for certain cases Cons of using `Sanitize HTML`: * May not remove all possible XSS attacks * Can be slower than no sanitization for extremely simple cases Pros of the "Nothing" approach: * Faster execution times for extremely simple cases * No overhead or performance penalties Cons of the "Nothing" approach: * Leaves input strings vulnerable to XSS attacks **Library and syntax explanations:** 1. `sanitize-html` is a library developed by Dave Shaw (a.k.a. "dfshaw") that provides a fast and efficient way to sanitize HTML input. 2. `dompurify` is another popular library for sanitizing HTML input, developed by Paul Miller. 3. In the first test case, the `testString` variable contains an XSS attempt using a script tag. The expected output of both approaches is an empty string. 4. In the second test case, the `testString` variable contains multiple HTML elements (bold, link, and image) with malicious attributes. Both approaches are expected to remove or escape these malicious attributes. **Other alternatives:** * Other sanitization libraries include `html-minifier`, `js-xss-sanitizer`, and `xss-cleaner`. * Some browsers have built-in XSS protection mechanisms, such as Google Chrome's Content Security Policy (CSP) feature. * For extremely simple cases, no sanitization or a custom approach may be sufficient. Overall, the choices between these approaches depend on the specific use case and requirements. If you need robust protection against XSS attacks, `DOMPurify` is a good choice. If you prioritize performance over security, "Nothing" might be acceptable for very simple cases.
Related benchmarks:
Dompurify vs sanitize-html
Dompurify 2.3.3 vs sanitize-html 1.27.5 vs Js-XSS Latest (Test #1)
Dompurify 2.3.3 vs sanitize-html
Dompurify vs sanitize-html (2024-03-16)
Dompurify vs sanitize-html (latest)
Comments
Confirm delete:
Do you really want to delete benchmark?