Benchmark: Dompurify 2.4.1 vs js-xss 1.0.14

HTML Preparation code:

<script src="https://rawgit.com/leizongmin/js-xss/master/dist/xss.js"></script>
<script src="https://cdn.jsdelivr.net/npm/dompurify@2.4.1/dist/purify.min.js"></script>

Tests:

dompurify
testString = "Welcome to safeland <a href='javascript:alert(1)'>This is fun</a> <img src=x onerror=console.log(1)>"; result = DOMPurify.sanitize(testString);
js-xss
testString = "Welcome to safeland <a href='javascript:alert(1)'>This is fun</a> <img src=x onerror=console.log(1)>"; result = filterXSS(testString);

Rendered benchmark preparation results:

Suite status: <idle, ready to run>

Previous results

Test case name	Result
dompurify
js-xss

Fastest: N/A

Slowest: N/A

Latest run results:

Run details: (Test run date: 10 months ago)

User agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:139.0) Gecko/20100101 Firefox/139.0

Browser/OS: Firefox 139 on Windows

View result in a separate tab

Test name	Executions per second
dompurify	6233.5 Ops/sec
js-xss	108857.4 Ops/sec

Autogenerated LLM Summary (model llama3.2:3b, generated one year ago):

LLMs can make mistakes. Check important info.

**Overview of the Benchmark**

The provided benchmark measures the performance difference between two JavaScript libraries: DOMPurify and js-xss, in terms of sanitizing user-inputted HTML strings.

**What is being tested?**

The test compares the execution time of each library when applied to a sample input string that contains malicious code. The input string includes a variety of vulnerabilities such as:

* An XSS attack using JavaScript:alert(1)
* Image tag with an onerror attribute that logs 1 to the console
* A broken image source (img src=x) that triggers an error

The test aims to measure which library can sanitize these inputs more efficiently.

**Options compared**

The two options being compared are:

1. **DOMPurify**: A popular JavaScript library for sanitizing user-inputted HTML strings.
2. **js-xss**: Another popular JavaScript library specifically designed for XSS protection.

**Pros and Cons of each approach:**

* **DOMPurify**:
	+ Pros: Widely used, well-maintained, and has a large community behind it.
	+ Cons: May not be as optimized for performance compared to js-xss.
* **js-xss**:
	+ Pros: Highly optimized for performance, specifically designed for XSS protection.
	+ Cons: Less widely adopted and maintained compared to DOMPurify.

**Library descriptions**

* **DOMPurify**: A JavaScript library that uses a combination of HTML parsing and regular expressions to sanitize user-inputted HTML strings. It also includes additional features like filtering out script tags, disabling attributes, and removing specific keywords.
* **js-xss**: A lightweight JavaScript library designed specifically for XSS protection. It uses a whitelist-based approach, where only trusted attributes and values are allowed in the sanitized output.

**Special JS feature or syntax**

The test case uses some special JavaScript features:

* `onerror` attribute on an image tag
* JavaScript:alert(1) (a common XSS attack technique)

These features are used to simulate a real-world scenario where malicious code can be executed, making the benchmark more relevant and realistic.

**Other alternatives**

There are other libraries available for sanitizing user-inputted HTML strings, such as:

* **html-purifier**: A PHP-based library that can also be used in JavaScript
* **xss-filter**: A Node.js module designed specifically for XSS protection

These alternatives may offer different trade-offs between performance, security, and ease of use, making them suitable for specific use cases.

Related benchmarks:

Dompurify 2.4.1 vs js-xss 1.0.14 (version: 0)

Comparing performance of: dompurify vs js-xss

Created: 3 years ago by: Guest

Jump to the latest result

dompurify

js-xss

Suite status: <idle, ready to run>

Fastest: N/A

Slowest: N/A

Autogenerated LLM Summary (model llama3.2:3b, generated one year ago):