Benchmark: Dompurify 2.3.3 vs sanitize-html 1.27.5 vs Js-XSS Latest (Test #1)

HTML Preparation code:

<script src="https://cdnjs.cloudflare.com/ajax/libs/sanitize-html/1.27.5/sanitize-html.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/dompurify/2.3.3/purify.min.js"></script>
<script src="https://rawgit.com/leizongmin/js-xss/master/dist/xss.js"></script>

Tests:

Dompurify 2.3.3
const testString = ` <b onclick="console.log(0)">Welcome to safeland</b><br> <a draggable="true" ondrag="console.log(1)">test</a> <a id=x tabindex=1 onfocus=console.log(2)>test</a> <a onclick="console.log(3)">test</a> <marquee onstart=console.log(4)></marquee> <x ondrag=console.log(5)>drag this!</x> <title onmouseover="console.log(6)">test</title> <img src/onerror="console.log(7)"> <textarea onclick="console.log(8)">test</textarea> <a href="javascript:console.log(9)">This is fun</a><br> <img src=x onerror="console.log(10)"> <button formaction="javascript:alert(11)" onclick="javascript:alert(12)"></button> <math href="javascript:alert(13)">CLICKME</math> <set attributeName="onmouseover" to="alert(14)"/> <animate attributeName="onunload" to="alert(15)"/> <video autoplay onplay=alert(16)><source src="validvideo.mp4" type="video/mp4"></video> <var onpaste="alert(17)" contenteditable>test</var> <article onmouseout="alert(18)">test</article> <area onclick="alert(19)">test</area> <a onmouseover="alert(20)">test</a> <body onload=alert(21)></body> <html ontouchstart=alert(22)></html> <svg onload=alert(23)> <form action=javascript:alert(24)><input type=submit></form> <audio src/onerror=alert(25)> ` const result = DOMPurify.sanitize(testString)
Sanitize-html 1.27.5
const testString = ` <b onclick="console.log(0)">Welcome to safeland</b><br> <a draggable="true" ondrag="console.log(1)">test</a> <a id=x tabindex=1 onfocus=console.log(2)>test</a> <a onclick="console.log(3)">test</a> <marquee onstart=console.log(4)></marquee> <x ondrag=console.log(5)>drag this!</x> <title onmouseover="console.log(6)">test</title> <img src/onerror="console.log(7)"> <textarea onclick="console.log(8)">test</textarea> <a href="javascript:console.log(9)">This is fun</a><br> <img src=x onerror="console.log(10)"> <button formaction="javascript:alert(11)" onclick="javascript:alert(12)"></button> <math href="javascript:alert(13)">CLICKME</math> <set attributeName="onmouseover" to="alert(14)"/> <animate attributeName="onunload" to="alert(15)"/> <video autoplay onplay=alert(16)><source src="validvideo.mp4" type="video/mp4"></video> <var onpaste="alert(17)" contenteditable>test</var> <article onmouseout="alert(18)">test</article> <area onclick="alert(19)">test</area> <a onmouseover="alert(20)">test</a> <body onload=alert(21)></body> <html ontouchstart=alert(22)></html> <svg onload=alert(23)> <form action=javascript:alert(24)><input type=submit></form> <audio src/onerror=alert(25)> ` const result = sanitizeHtml(testString)
Js-XSS Latest
const testString = ` <b onclick="console.log(0)">Welcome to safeland</b><br> <a draggable="true" ondrag="console.log(1)">test</a> <a id=x tabindex=1 onfocus=console.log(2)>test</a> <a onclick="console.log(3)">test</a> <marquee onstart=console.log(4)></marquee> <x ondrag=console.log(5)>drag this!</x> <title onmouseover="console.log(6)">test</title> <img src/onerror="console.log(7)"> <textarea onclick="console.log(8)">test</textarea> <a href="javascript:console.log(9)">This is fun</a><br> <img src=x onerror="console.log(10)"> <button formaction="javascript:alert(11)" onclick="javascript:alert(12)"></button> <math href="javascript:alert(13)">CLICKME</math> <set attributeName="onmouseover" to="alert(14)"/> <animate attributeName="onunload" to="alert(15)"/> <video autoplay onplay=alert(16)><source src="validvideo.mp4" type="video/mp4"></video> <var onpaste="alert(17)" contenteditable>test</var> <article onmouseout="alert(18)">test</article> <area onclick="alert(19)">test</area> <a onmouseover="alert(20)">test</a> <body onload=alert(21)></body> <html ontouchstart=alert(22)></html> <svg onload=alert(23)> <form action=javascript:alert(24)><input type=submit></form> <audio src/onerror=alert(25)> ` const result = filterXSS(testString)

Rendered benchmark preparation results:

Suite status: <idle, ready to run>

Previous results

Test case name	Result
Dompurify 2.3.3
Sanitize-html 1.27.5
Js-XSS Latest

Fastest: N/A

Slowest: N/A

Latest run results:

Run details: (Test run date: 29 days ago)

User agent: Mozilla/5.0 (Linux; Android 14; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.6998.135 Mobile Safari/537.36

Browser/OS: Chrome Mobile 134 on Android

View result in a separate tab

Test name	Executions per second
Dompurify 2.3.3	747.2 Ops/sec
Sanitize-html 1.27.5	10482.3 Ops/sec
Js-XSS Latest	21435.4 Ops/sec

Autogenerated LLM Summary (model llama3.2:3b, generated 6 months ago):

LLMs can make mistakes. Check important info.

Based on the provided benchmark results, I'll focus on the two relevant tests: "Js-XSS Latest" and "Sanitize-html 1.27.5".

**Test 1: Js-XSS Latest**

The latest benchmark result is:
```
{
    "RawUAString": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36",
    "Browser": "Chrome 116",
    "DevicePlatform": "Desktop",
    "OperatingSystem": "Windows",
    "ExecutionsPerSecond": 13430.4990234375,
    "TestName": "Js-XSS Latest"
}
```
This result indicates that the Js-XSS filter is passing through malicious input, suggesting a vulnerability.

**Test 2: Sanitize-html 1.27.5**

The benchmark result is:
```
{
    "RawUAString": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36",
    "Browser": "Chrome 116",
    "DevicePlatform": "Desktop",
    "OperatingSystem": "Windows",
    "ExecutionsPerSecond": 4646.60791015625,
    "TestName": "Sanitize-html 1.27.5"
}
```
This result indicates that the Sanitize-html filter is passing through malicious input, suggesting a vulnerability.

In both cases, it appears that the filters are not properly sanitizing user input, allowing malicious code to execute. This highlights the importance of keeping these filters up-to-date and thoroughly tested to ensure they can effectively prevent XSS attacks.

Related benchmarks:

Dompurify 2.3.3 vs sanitize-html 1.27.5 vs Js-XSS Latest (Test #1) (version: 14)

Comparing performance of: Dompurify 2.3.3 vs Sanitize-html 1.27.5 vs Js-XSS Latest

Created: 3 years ago by: Registered User

Jump to the latest result

Dompurify 2.3.3

Sanitize-html 1.27.5

Js-XSS Latest

Suite status: <idle, ready to run>

Experimental features:

Fastest: N/A

Slowest: N/A

Autogenerated LLM Summary (model llama3.2:3b, generated 6 months ago):