Benchmark: Dompurify vs sanitize-html latest fixed

HTML Preparation code:

<script src="https://cdn.jsdelivr.net/npm/sanitize-html/dist/sanitize-html.min.js"></script>
<script src="https://cdn.jsdelivr.net/npm/dompurify/dist/purify.min.js"></script>

Tests:

DOMPurify
const testString = ` Welcome to safeland <a href='javascript:alert(1)'>This is fun</a> <img src=x onerror=console.log(1)> `; const result = DOMPurify.sanitize(testString);
Sanitize HTML
const testString = ` Welcome to safeland <a href='javascript:alert(1)'>This is fun</a> <img src=x onerror=console.log(1)> `; const result = sanitizeHtml(testString);

Rendered benchmark preparation results:

Suite status: <idle, ready to run>

Previous results

Test case name	Result
DOMPurify
Sanitize HTML

Fastest: N/A

Slowest: N/A

Latest run results:

Run details: (Test run date: 27 days ago)

User agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36 Edg/146.0.0.0

Browser/OS: Chrome 146 on Windows

View result in a separate tab

Test name	Executions per second
DOMPurify	6243.1 Ops/sec
Sanitize HTML	37280.5 Ops/sec

Autogenerated LLM Summary (model gpt-4o-mini, generated one year ago):

LLMs can make mistakes. Check important info.

The benchmark you provided compares the performance of two libraries for sanitizing HTML content: **DOMPurify** and **sanitize-html**. Both libraries are widely used for preventing Cross-Site Scripting (XSS) attacks by cleaning up harmful HTML input, but they have different implementations and performance characteristics.

### Libraries Explained

1. **DOMPurify**:
   - **Purpose**: An extremely fast sanitizer for HTML that is designed to clean user-submitted HTML, allowing safe rendering in web pages. It automatically removes problematic attributes and elements to prevent XSS.
   - **Pros**:
     - High performance and efficiency, making it suitable for real-time applications.
     - Actively maintained and widely adopted in the web development community.
     - Supports the latest web standards and practices.
   - **Cons**:
     - Can be overzealous, potentially stripping out some HTML elements that might be desired in certain contexts.

2. **sanitize-html**:
   - **Purpose**: Provides a way to clean HTML with a focus on maintaining desired elements, attributes, and styles while still preventing XSS.
   - **Pros**:
     - More configurable out-of-the-box, allowing users to specify which HTML elements and attributes should be allowed through.
     - Good for use cases that require a greater level of control over the output HTML.
   - **Cons**:
     - Generally slower than DOMPurify due to the additional checks and balances in place.
     - The configuration might be overwhelming for quick implementations.

### Benchmark Results Analysis

The results show two key performance indicators: **Executions Per Second**. Here's a breakdown of the performance:

- **sanitize-html** achieved **148,985.28** executions per second.
- **DOMPurify** achieved **42,340.78** executions per second.

From these results, we can infer:
- **sanitize-html** performs significantly better in this test case, nearly 3.5 times faster than DOMPurify.
- This could imply that for scenarios demanding high performance with large volumes of HTML content to sanitize, **sanitize-html** might be the preferable choice based on this specific benchmark.

### Considerations

1. **Choice of Library**:
   - If you need high performance and can sacrifice some configurability, **DOMPurify** may be the better choice.
   - If your application has specific sanitization needs and requires a higher level of customization, **sanitize-html** could be the right option, despite being slower in this benchmark.

2. **Ease of Use**: Both libraries are straightforward to implement, but **sanitize-html's** configurability may require more setup work.

3. **Security**: While performance is a key factor, security should always be prioritized when dealing with user-generated content, so testing both libraries in real-world scenarios is essential.

4. **Alternatives**: 
   - Alternatives like **XSS-Filters**, **js-slang**, and custom sanitization routines can be considered, but they may vary in terms of performance and security guarantees. Always assess and test any alternatives thoroughly before using them in production.

In summary, both **DOMPurify** and **sanitize-html** are powerful tools for HTML sanitization, each with unique advantages. The choice between them should consider the specific needs of your application, such as performance requirements, desired configurability, and the nature of the content being sanitized.

Related benchmarks:

Dompurify vs sanitize-html latest fixed (version: 1)

Comparing performance of: DOMPurify vs Sanitize HTML

Created: one year ago by: Guest

Jump to the latest result

DOMPurify

Sanitize HTML

Suite status: <idle, ready to run>

Fastest: N/A

Slowest: N/A

Autogenerated LLM Summary (model gpt-4o-mini, generated one year ago):