Toggle navigation
MeasureThat.net
Create a benchmark
Tools
Feedback
FAQ
Register
Log In
js-xss vs DOMPurify
(version: 1)
Comparing performance of:
DOMPurify vs js-xss
Created:
one year ago
by:
Guest
Jump to the latest result
HTML Preparation code:
<script src="https://cdn.jsdelivr.net/npm/dompurify@3.2.3/dist/purify.min.js"></script> <script src="https://cdn.jsdelivr.net/npm/xss@1.0.15/dist/xss.min.js"></script>
Script Preparation code:
const testString = ` <b>Welcome to safeland</b><br> <a href='javascript:alert(1)'>This is fun</a><br> <img src=x onerror=console.log(1)> `;
Tests:
DOMPurify
const result = DOMPurify.sanitize(testString);
js-xss
const result = filterXSS(testString)
Rendered benchmark preparation results:
Suite status:
<idle, ready to run>
Run tests (2)
Previous results
Fork
Test case name
Result
DOMPurify
js-xss
Fastest:
N/A
Slowest:
N/A
Latest run results:
Run details:
(Test run date:
5 months ago
)
User agent:
Mozilla/5.0 (X11; Linux x86_64; rv:145.0) Gecko/20100101 Firefox/145.0
Browser/OS:
Firefox 145 on Linux
View result in a separate tab
Embed
Embed Benchmark Result
<iframe src="https://measurethat.net/Embed?id=621600" width="100%" height="500px"></iframe>
Test name
Executions per second
DOMPurify
21216.9 Ops/sec
js-xss
191382.6 Ops/sec
Autogenerated LLM Summary
(model
gpt-4o-mini
, generated one year ago):
The benchmark described in the provided JSON compares two libraries used for sanitizing HTML strings: **DOMPurify** and **js-xss**. Both libraries are designed to prevent cross-site scripting (XSS) attacks by cleaning user-generated input, but they employ different techniques and have varying performance characteristics. ### Libraries being compared 1. **DOMPurify** - **Purpose**: DOMPurify is a popular library for sanitizing HTML that removes elements and attributes that can lead to XSS vulnerabilities. It offers a safe way to use HTML in web applications by parsing the input and ensuring that it only contains safe content. - **Pros**: - Comprehensive sanitization, including a wide variety of potential attack vectors. - Actively maintained with frequent updates and community support. - Simple API for developers to use. - **Cons**: - Can be more performance-intensive, especially for larger inputs, due to its thoroughness. - Larger bundle size compared to some lighter alternatives. 2. **js-xss** - **Purpose**: js-xss is another library for XSS prevention that focuses on a customizable whitelist of allowed HTML tags and attributes. This flexibility allows finer control over what is considered safe. - **Pros**: - Lightweight and often faster than DOMPurify, particularly for specific sanitization needs. - Customizable filtering rules enable tailoring behavior to specific use cases. - **Cons**: - Requires more careful configuration to avoid leaving security gaps; misconfigurations could lead to vulnerabilities. - More limited in functionality when compared to DOMPurify, potentially missing advanced sanitization features. ### Benchmark Comparison The benchmark consists of executing a predefined test string containing potentially harmful HTML. The string includes: - A bolded welcome message. - A link that can trigger a JavaScript alert (which is generally unsafe). - An image tag with an `onerror` handler that logs to the console if the image fails to load (another unsafe example). In terms of the benchmark results: - **js-xss** executed **315,981.81** operations per second. - **DOMPurify** executed **43,363.18** operations per second. ### Considerations and Alternatives #### Performance Considerations The benchmark shows that js-xss is significantly faster than DOMPurify in the tested case. While speed may be a priority in certain applications, developers should also consider the completeness and security of the sanitization process. A faster library may lead to potential security issues if not configured properly. #### Other Alternatives Apart from DOMPurify and js-xss, there are other alternatives available for HTML sanitization, including: - **HTML Sanitizer**: A simple and effective library that sanitizes user input by using a default set of rules. - **sanitize-html**: Allows customization of allowed tags and attributes with a user-friendly API while also providing protection against XSS. - **purifyCSS**: This focuses on CSS sanitization specifically but can be useful when styling HTML content. ### Summary When choosing between DOMPurify and js-xss, consider the performance versus security trade-offs. DOMPurify offers a higher level of security but may come with a performance cost, while js-xss provides speed and configurability but requires careful implementation to ensure security. Your choice should align with your application's specific needs and security posture.
Related benchmarks:
Dompurify 2.3.3 vs sanitize-html
Dompurify 2.4.1 vs js-xss 1.0.14
Dompurify vs sanitize-html latest
Dompurify vs sanitize-html 3
Dompurify vs sanitize-html (2024-03-16)
Dompurify vs sanitize-html vs js-xss latest
Dompurify vs js-xss | 84322342341
Dompurify vs js-xss | 28052024
Dompurify vs sanitize-html (latest)
Comments
Confirm delete:
Do you really want to delete benchmark?