Toggle navigation
MeasureThat.net
Create a benchmark
Tools
Feedback
FAQ
Register
Log In
Dompurify, Sanitize
(version: 1)
Comparing performance of:
DOMPurify with IN_PLACE vs Sanitize HTML vs DOMPurify without IN_PLACE
Created:
2 years ago
by:
Registered User
Jump to the latest result
HTML Preparation code:
<script src="https://cdnjs.cloudflare.com/ajax/libs/dompurify/2.2.7/purify.min.js"></script>
Tests:
DOMPurify with IN_PLACE
const testString = ` <b>Welcome to safeland</b><br> <a href='javascript:alert(1)'>This is fun</a><br> <img src=x onerror=console.log(1)> ` const result = DOMPurify.sanitize(testString,{IN_PLACE:true})
Sanitize HTML
const testString = ` <b>Welcome to safeland</b><br> <a href='javascript:alert(1)'>This is fun</a><br> <img src=x onerror=console.log(1)> `
DOMPurify without IN_PLACE
const testString = ` <b>Welcome to safeland</b><br> <a href='javascript:alert(1)'>This is fun</a><br> <img src=x onerror=console.log(1)> ` const result = DOMPurify.sanitize(testString)
Rendered benchmark preparation results:
Suite status:
<idle, ready to run>
Run tests (3)
Previous results
Fork
Test case name
Result
DOMPurify with IN_PLACE
Sanitize HTML
DOMPurify without IN_PLACE
Fastest:
N/A
Slowest:
N/A
Latest run results:
Run details:
(Test run date:
one year ago
)
User agent:
Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3.1 Mobile/15E148 Safari/604.1
Browser/OS:
Mobile Safari 18 on iOS 18.3.2
View result in a separate tab
Embed
Embed Benchmark Result
<iframe src="https://measurethat.net/Embed?id=599450" width="100%" height="500px"></iframe>
Test name
Executions per second
DOMPurify with IN_PLACE
39072.9 Ops/sec
Sanitize HTML
478799456.0 Ops/sec
DOMPurify without IN_PLACE
38069.9 Ops/sec
Autogenerated LLM Summary
(model
llama3.2:3b
, generated one year ago):
Let's dive into the world of JavaScript microbenchmarks on MeasureThat.net. **What is being tested?** The benchmark is testing two approaches to sanitize HTML in JavaScript: DOMPurify and manual sanitization. **DOMPurify** DOMPurify is a library that provides a simple way to sanitize HTML by removing potential security vulnerabilities. It's designed to prevent cross-site scripting (XSS) attacks. The library uses a set of rules, such as removing script tags, CSS styles, and other malicious code, to clean the input HTML. **Manual Sanitization** In contrast, manual sanitization involves writing custom code to remove specific HTML elements or attributes that can be used for XSS attacks. This approach requires more effort and expertise than using a library like DOMPurify. **Options compared:** The benchmark is comparing three options: 1. **DOMPurify with IN_PLACE**: This option uses the DOMPurify library with the `IN_PLACE` flag set to `true`. The `IN_PLACE` flag allows DOMPurify to modify the original HTML string instead of returning a new, sanitized string. 2. **Sanitize HTML**: This option manual sanitization using the same input HTML as in the benchmark definition. 3. **DOMPurify without IN_PLACE**: This option uses the DOMPurify library without the `IN_PLACE` flag. **Pros and Cons:** * **DOMPurify with IN_PLACE**: + Pros: Faster execution, as it modifies the original string. + Cons: May have performance implications if the input HTML is large or complex. * **Sanitize HTML**: + Pros: Customizable rules, as the developer can define their own sanitization logic. + Cons: Requires more effort and expertise to write effective sanitization code. * **DOMPurify without IN_PLACE**: + Pros: Easier to understand and maintain, as it returns a new, sanitized string. + Cons: Slower execution, as it creates a new string. **Other considerations:** * The benchmark only tests the DOMPurify library, which is widely used for HTML sanitization. Other libraries, like jsdom or html-purifier, may have similar performance characteristics but differ in their implementation details. * The benchmark assumes that the input HTML contains malicious code, such as script tags or CSS styles. In reality, not all XSS attacks use these techniques. **Special JS feature or syntax:** There are no special JavaScript features or syntax used in this benchmark. The focus is on comparing two sanitization approaches using standard JavaScript. I hope this explanation helps you understand the benchmark and its results!
Related benchmarks:
Dompurify vs sanitize-html
Dompurify 2.3.3 vs sanitize-html
Dompurify 2.4.1 vs js-xss 1.0.14
Dompurify vs sanitize-html 3
Dompurify vs sanitize-html (2024-03-16)
Comments
Confirm delete:
Do you really want to delete benchmark?