Benchmark: Dompurify vs sanitize-html vs js-xss

HTML Preparation code:

<script src="https://cdnjs.cloudflare.com/ajax/libs/sanitize-html/1.27.5/sanitize-html.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/dompurify/2.2.7/purify.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/js-xss/0.3.3/xss.min.js"></script>

Tests:

DOMPurify
const testString = ` Welcome to safeland <a href='javascript:alert(1)'>This is fun</a> <img src=x onerror=console.log(1)> ` const result = DOMPurify.sanitize(testString)
Sanitize HTML
const testString = ` Welcome to safeland <a href='javascript:alert(1)'>This is fun</a> <img src=x onerror=console.log(1)> ` const result = sanitizeHtml(testString)
js-xss
const testString = ` Welcome to safeland <a href='javascript:alert(1)'>This is fun</a> <img src=x onerror=console.log(1)> ` const result = filterXSS(testString)

Rendered benchmark preparation results:

Suite status: <idle, ready to run>

Previous results

Test case name	Result
DOMPurify
Sanitize HTML
js-xss

Fastest: N/A

Slowest: N/A

Latest run results:

Run details: (Test run date: 3 months ago)

User agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36

Browser/OS: Chrome 144 on Mac OS X 10.15.7

View result in a separate tab

Test name	Executions per second
DOMPurify	41059.6 Ops/sec
Sanitize HTML	168614.8 Ops/sec
js-xss	505442.3 Ops/sec

Autogenerated LLM Summary (model llama3.2:3b, generated one year ago):

LLMs can make mistakes. Check important info.

I'll break down the provided benchmark and explain what's being tested, compared, and the pros/cons of each approach.

**What's being tested:**

The benchmark compares three JavaScript libraries:

1. `DOMPurify` by Joel Bendinger
2. `sanitize-html` by John Resig
3. `js-xss` by Jonas Walther

Each library is used to sanitize HTML input, which helps prevent cross-site scripting (XSS) attacks.

**Options compared:**

The benchmark compares the performance of each library on a specific test case:

1. `DOMPurify`
2. `sanitize-html`
3. `js-xss`

The options being compared are the execution speed of each library, measured in executions per second (`ExecutionsPerSecond`).

**Pros and Cons:**

Here's a brief overview of each library's strengths and weaknesses:

* **DOMPurify**:
	+ Pros: Simple, lightweight, and easy to use. It uses a whitelist approach, which can be more efficient than blacklist approaches.
	+ Cons: May not cover all possible XSS vectors, as it relies on a predefined set of allowed elements and attributes.
* **sanitize-html**:
	+ Pros: More comprehensive whitelist than DOMPurify, covering a wider range of HTML elements and attributes. It's also more customizable.
	+ Cons: Larger and heavier than DOMPurify due to its more extensive feature set.
* **js-xss**:
	+ Pros: Lightweight and fast, with a focus on preventing XSS attacks. It uses a blacklist approach, which can be effective against known attack vectors.
	+ Cons: May have false positives or require additional configuration to ensure optimal performance.

**Library descriptions:**

1. `DOMPurify`: A lightweight library that uses a whitelist approach to sanitize HTML input. It's designed for simplicity and ease of use, making it suitable for production environments.
2. `sanitize-html`: A more comprehensive library than DOMPurify, using a whitelist approach with customizable settings. It covers a wider range of HTML elements and attributes, making it suitable for applications that require additional protection against XSS attacks.
3. `js-xss`: A lightweight library that uses a blacklist approach to prevent XSS attacks. It's designed for performance and ease of use, making it suitable for production environments where speed is critical.

**Special JavaScript features or syntax:**

None are explicitly mentioned in the benchmark definitions or results. However, each library may have its own configuration options or settings that can be adjusted to fine-tune performance or security.

**Alternatives:**

If you're considering using these libraries or exploring alternative solutions:

1. **Cheerio**: A lightweight HTML parsing library for Node.js that provides an API similar to jQuery.
2. **JSHTMLParser`: A simple HTML parser for JavaScript applications.
3. **XSS Filter**: A small, fast XSS filter for Node.js that uses a combination of techniques to prevent attacks.

Keep in mind that each alternative has its own strengths and weaknesses, and the choice ultimately depends on your specific use case and performance requirements.

Related benchmarks:

Dompurify vs sanitize-html vs js-xss (version: 0)

Comparing performance of: DOMPurify vs Sanitize HTML vs js-xss

Created: 4 years ago by: Guest

Jump to the latest result

DOMPurify

Sanitize HTML

js-xss

Suite status: <idle, ready to run>

Fastest: N/A

Slowest: N/A

Autogenerated LLM Summary (model llama3.2:3b, generated one year ago):