Toggle navigation
MeasureThat.net
Create a benchmark
Tools
Feedback
FAQ
Register
Log In
Dompurify 2.3.3 vs sanitize-html 1.27.5 vs Js-XSS Latest (Test #1)
(version: 14)
Comparing performance of:
Dompurify 2.3.3 vs Sanitize-html 1.27.5 vs Js-XSS Latest
Created:
4 years ago
by:
Registered User
Jump to the latest result
HTML Preparation code:
<script src="https://cdnjs.cloudflare.com/ajax/libs/sanitize-html/1.27.5/sanitize-html.min.js"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/dompurify/2.3.3/purify.min.js"></script> <script src="https://rawgit.com/leizongmin/js-xss/master/dist/xss.js"></script>
Tests:
Dompurify 2.3.3
const testString = ` <b onclick="console.log(0)">Welcome to safeland</b><br> <a draggable="true" ondrag="console.log(1)">test</a> <a id=x tabindex=1 onfocus=console.log(2)>test</a> <a onclick="console.log(3)">test</a> <marquee onstart=console.log(4)></marquee> <x ondrag=console.log(5)>drag this!</x> <title onmouseover="console.log(6)">test</title> <img src/onerror="console.log(7)"> <textarea onclick="console.log(8)">test</textarea> <a href="javascript:console.log(9)">This is fun</a><br> <img src=x onerror="console.log(10)"> <button formaction="javascript:alert(11)" onclick="javascript:alert(12)"></button> <math href="javascript:alert(13)">CLICKME</math> <set attributeName="onmouseover" to="alert(14)"/> <animate attributeName="onunload" to="alert(15)"/> <video autoplay onplay=alert(16)><source src="validvideo.mp4" type="video/mp4"></video> <var onpaste="alert(17)" contenteditable>test</var> <article onmouseout="alert(18)">test</article> <area onclick="alert(19)">test</area> <a onmouseover="alert(20)">test</a> <body onload=alert(21)></body> <html ontouchstart=alert(22)></html> <svg onload=alert(23)> <form action=javascript:alert(24)><input type=submit></form> <audio src/onerror=alert(25)> ` const result = DOMPurify.sanitize(testString)
Sanitize-html 1.27.5
const testString = ` <b onclick="console.log(0)">Welcome to safeland</b><br> <a draggable="true" ondrag="console.log(1)">test</a> <a id=x tabindex=1 onfocus=console.log(2)>test</a> <a onclick="console.log(3)">test</a> <marquee onstart=console.log(4)></marquee> <x ondrag=console.log(5)>drag this!</x> <title onmouseover="console.log(6)">test</title> <img src/onerror="console.log(7)"> <textarea onclick="console.log(8)">test</textarea> <a href="javascript:console.log(9)">This is fun</a><br> <img src=x onerror="console.log(10)"> <button formaction="javascript:alert(11)" onclick="javascript:alert(12)"></button> <math href="javascript:alert(13)">CLICKME</math> <set attributeName="onmouseover" to="alert(14)"/> <animate attributeName="onunload" to="alert(15)"/> <video autoplay onplay=alert(16)><source src="validvideo.mp4" type="video/mp4"></video> <var onpaste="alert(17)" contenteditable>test</var> <article onmouseout="alert(18)">test</article> <area onclick="alert(19)">test</area> <a onmouseover="alert(20)">test</a> <body onload=alert(21)></body> <html ontouchstart=alert(22)></html> <svg onload=alert(23)> <form action=javascript:alert(24)><input type=submit></form> <audio src/onerror=alert(25)> ` const result = sanitizeHtml(testString)
Js-XSS Latest
const testString = ` <b onclick="console.log(0)">Welcome to safeland</b><br> <a draggable="true" ondrag="console.log(1)">test</a> <a id=x tabindex=1 onfocus=console.log(2)>test</a> <a onclick="console.log(3)">test</a> <marquee onstart=console.log(4)></marquee> <x ondrag=console.log(5)>drag this!</x> <title onmouseover="console.log(6)">test</title> <img src/onerror="console.log(7)"> <textarea onclick="console.log(8)">test</textarea> <a href="javascript:console.log(9)">This is fun</a><br> <img src=x onerror="console.log(10)"> <button formaction="javascript:alert(11)" onclick="javascript:alert(12)"></button> <math href="javascript:alert(13)">CLICKME</math> <set attributeName="onmouseover" to="alert(14)"/> <animate attributeName="onunload" to="alert(15)"/> <video autoplay onplay=alert(16)><source src="validvideo.mp4" type="video/mp4"></video> <var onpaste="alert(17)" contenteditable>test</var> <article onmouseout="alert(18)">test</article> <area onclick="alert(19)">test</area> <a onmouseover="alert(20)">test</a> <body onload=alert(21)></body> <html ontouchstart=alert(22)></html> <svg onload=alert(23)> <form action=javascript:alert(24)><input type=submit></form> <audio src/onerror=alert(25)> ` const result = filterXSS(testString)
Rendered benchmark preparation results:
Suite status:
<idle, ready to run>
Run tests (3)
Previous results
Fork
Test case name
Result
Dompurify 2.3.3
Sanitize-html 1.27.5
Js-XSS Latest
Fastest:
N/A
Slowest:
N/A
Latest run results:
Run details:
(Test run date:
10 months ago
)
User agent:
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36
Browser/OS:
Chrome 138 on Windows
View result in a separate tab
Embed
Embed Benchmark Result
<iframe src="https://measurethat.net/Embed?id=613117" width="100%" height="500px"></iframe>
Test name
Executions per second
Dompurify 2.3.3
856.5 Ops/sec
Sanitize-html 1.27.5
14630.4 Ops/sec
Js-XSS Latest
9563.2 Ops/sec
Autogenerated LLM Summary
(model
llama3.2:3b
, generated one year ago):
Based on the provided benchmark results, I'll focus on the two relevant tests: "Js-XSS Latest" and "Sanitize-html 1.27.5". **Test 1: Js-XSS Latest** The latest benchmark result is: ``` { "RawUAString": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36", "Browser": "Chrome 116", "DevicePlatform": "Desktop", "OperatingSystem": "Windows", "ExecutionsPerSecond": 13430.4990234375, "TestName": "Js-XSS Latest" } ``` This result indicates that the Js-XSS filter is passing through malicious input, suggesting a vulnerability. **Test 2: Sanitize-html 1.27.5** The benchmark result is: ``` { "RawUAString": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36", "Browser": "Chrome 116", "DevicePlatform": "Desktop", "OperatingSystem": "Windows", "ExecutionsPerSecond": 4646.60791015625, "TestName": "Sanitize-html 1.27.5" } ``` This result indicates that the Sanitize-html filter is passing through malicious input, suggesting a vulnerability. In both cases, it appears that the filters are not properly sanitizing user input, allowing malicious code to execute. This highlights the importance of keeping these filters up-to-date and thoroughly tested to ensure they can effectively prevent XSS attacks.
Related benchmarks:
Dompurify vs sanitize-html
Dompurify vs sanitize-html vs js-xss
Dompurify 2.4.1 vs js-xss 1.0.14
Dompurify vs sanitize-html (2024-03-16)
Comments
Confirm delete:
Do you really want to delete benchmark?