Benchmark: Dompurify, Sanitize

HTML Preparation code:

<script src="https://cdnjs.cloudflare.com/ajax/libs/dompurify/2.2.7/purify.min.js"></script>

Tests:

DOMPurify with IN_PLACE
const testString = ` Welcome to safeland <a href='javascript:alert(1)'>This is fun</a> <img src=x onerror=console.log(1)> ` const result = DOMPurify.sanitize(testString,{IN_PLACE:true})
Sanitize HTML
const testString = ` Welcome to safeland <a href='javascript:alert(1)'>This is fun</a> <img src=x onerror=console.log(1)> `
DOMPurify without IN_PLACE
const testString = ` Welcome to safeland <a href='javascript:alert(1)'>This is fun</a> <img src=x onerror=console.log(1)> ` const result = DOMPurify.sanitize(testString)

Rendered benchmark preparation results:

Suite status: <idle, ready to run>

Previous results

Test case name	Result
DOMPurify with IN_PLACE
Sanitize HTML
DOMPurify without IN_PLACE

Fastest: N/A

Slowest: N/A

Latest run results:

Run details: (Test run date: 15 days ago)

User agent: Mozilla/5.0 (iPhone; CPU iPhone OS 18_3_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3.1 Mobile/15E148 Safari/604.1

Browser/OS: Mobile Safari 18 on iOS 18.3.2

View result in a separate tab

Test name	Executions per second
DOMPurify with IN_PLACE	39072.9 Ops/sec
Sanitize HTML	478799456.0 Ops/sec
DOMPurify without IN_PLACE	38069.9 Ops/sec

Autogenerated LLM Summary (model llama3.2:3b, generated 6 months ago):

LLMs can make mistakes. Check important info.

Let's dive into the world of JavaScript microbenchmarks on MeasureThat.net.

**What is being tested?**

The benchmark is testing two approaches to sanitize HTML in JavaScript: DOMPurify and manual sanitization.

**DOMPurify**

DOMPurify is a library that provides a simple way to sanitize HTML by removing potential security vulnerabilities. It's designed to prevent cross-site scripting (XSS) attacks. The library uses a set of rules, such as removing script tags, CSS styles, and other malicious code, to clean the input HTML.

**Manual Sanitization**

In contrast, manual sanitization involves writing custom code to remove specific HTML elements or attributes that can be used for XSS attacks. This approach requires more effort and expertise than using a library like DOMPurify.

**Options compared:**

The benchmark is comparing three options:

1. **DOMPurify with IN_PLACE**: This option uses the DOMPurify library with the `IN_PLACE` flag set to `true`. The `IN_PLACE` flag allows DOMPurify to modify the original HTML string instead of returning a new, sanitized string.
2. **Sanitize HTML**: This option manual sanitization using the same input HTML as in the benchmark definition.
3. **DOMPurify without IN_PLACE**: This option uses the DOMPurify library without the `IN_PLACE` flag.

**Pros and Cons:**

* **DOMPurify with IN_PLACE**:
	+ Pros: Faster execution, as it modifies the original string.
	+ Cons: May have performance implications if the input HTML is large or complex.
* **Sanitize HTML**:
	+ Pros: Customizable rules, as the developer can define their own sanitization logic.
	+ Cons: Requires more effort and expertise to write effective sanitization code.
* **DOMPurify without IN_PLACE**:
	+ Pros: Easier to understand and maintain, as it returns a new, sanitized string.
	+ Cons: Slower execution, as it creates a new string.

**Other considerations:**

* The benchmark only tests the DOMPurify library, which is widely used for HTML sanitization. Other libraries, like jsdom or html-purifier, may have similar performance characteristics but differ in their implementation details.
* The benchmark assumes that the input HTML contains malicious code, such as script tags or CSS styles. In reality, not all XSS attacks use these techniques.

**Special JS feature or syntax:**

There are no special JavaScript features or syntax used in this benchmark. The focus is on comparing two sanitization approaches using standard JavaScript.

I hope this explanation helps you understand the benchmark and its results!

Related benchmarks:

Dompurify, Sanitize (version: 1)

Comparing performance of: DOMPurify with IN_PLACE vs Sanitize HTML vs DOMPurify without IN_PLACE

Created: one year ago by: Registered User

Jump to the latest result

DOMPurify with IN_PLACE

Sanitize HTML

DOMPurify without IN_PLACE

Suite status: <idle, ready to run>

Experimental features:

Fastest: N/A

Slowest: N/A

Autogenerated LLM Summary (model llama3.2:3b, generated 6 months ago):