Benchmark: Dompurify vs sanitize-html 3

HTML Preparation code:

<script src="https://cdnjs.cloudflare.com/ajax/libs/sanitize-html/1.27.5/sanitize-html.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/dompurify/3.0.5/purify.min.js"></script>

Tests:

DOMPurify
const testString = ` Welcome to safeland <a href='javascript:alert(1)'>This is fun</a> <img src=x onerror=console.log(1)> ` const result = DOMPurify.sanitize(testString)
sanitizeHtml
const testString = ` Welcome to safeland <a href='javascript:alert(1)'>This is fun</a> <img src=x onerror=console.log(1)> ` const result = sanitizeHtml(testString)

Rendered benchmark preparation results:

Suite status: <idle, ready to run>

Previous results

Test case name	Result
DOMPurify
sanitizeHtml

Fastest: N/A

Slowest: N/A

Latest run results:

Run details: (Test run date: one year ago)

User agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36

Browser/OS: Chrome 131 on Windows

View result in a separate tab

Test name	Executions per second
DOMPurify	35130.6 Ops/sec
sanitizeHtml	93134.7 Ops/sec

Autogenerated LLM Summary (model llama3.2:3b, generated one year ago):

LLMs can make mistakes. Check important info.

Let's break down the provided benchmark and its test cases.

**Overview**

The benchmark compares two libraries: `sanitize-html` (3) and `DOMPurify`. The goal is to measure which library is faster at sanitizing HTML input.

**Options being compared**

There are only two options being compared:

1. **sanitize-html**: A JavaScript library that removes malicious attributes, tags, and values from HTML input.
2. **DOMPurify**: Another JavaScript library specifically designed for purifying HTML input by removing a wide range of potential vulnerabilities.

**Pros and Cons:**

*   **sanitize-html**:
    *   Pros:
        +   Faster execution times in the benchmark
        *   Smaller footprint (lower file size)
    *   Cons:
        +   Less comprehensive sanitization (only removes specific attributes and tags)
*   **DOMPurify**:
    +   Pros:
        *   More comprehensive sanitization (removes a wide range of potential vulnerabilities, including JavaScript injection and inline CSS)
    +   Cons:
        -   Slower execution times in the benchmark
        -   Larger footprint (higher file size)

**Library descriptions**

1.  **sanitize-html**: A lightweight library that uses a combination of regular expressions and HTML parsing to sanitize input. It's designed for production use cases where speed and compactness are crucial.
2.  **DOMPurify**: A more comprehensive library developed by the Same-Origin Policy (SOP) research team at MIT. DOMPurify is specifically designed for protecting web applications from cross-site scripting (XSS) attacks. While it's a great solution, its size and performance impact can be significant.

**Special JavaScript features or syntax**

The benchmark does not use any special JavaScript features or syntax that would affect the interpretation of the results. The test cases focus solely on the comparison between the two libraries' sanitization capabilities.

**Alternative approaches**

If you're looking for alternative solutions, consider the following:

1.  **Use a Content Security Policy (CSP)**: Implementing CSP can help prevent XSS attacks by defining which sources are allowed to execute within your web application.
2.  **Use HTML5 attributes**: Some HTML5 attributes, like `src` and `href`, inherently provide some level of protection against XSS attacks.
3.  **Hand-crafted sanitization**: For specific use cases, you might need to implement custom sanitization logic tailored to your application's requirements.

Keep in mind that each approach has its pros and cons:

*   CSP can be effective but may require more configuration and maintenance.
*   HTML5 attributes can provide some protection but are not foolproof.
*   Hand-crafted sanitization requires expertise and can be error-prone.

Related benchmarks:

Dompurify vs sanitize-html 3 (version: 0)

Comparing performance of: DOMPurify vs sanitizeHtml

Created: 2 years ago by: Guest

Jump to the latest result

DOMPurify

sanitizeHtml

Suite status: <idle, ready to run>

Fastest: N/A

Slowest: N/A

Autogenerated LLM Summary (model llama3.2:3b, generated one year ago):