Benchmark: Dompurify vs sanitize-html

HTML Preparation code:

<script src="https://cdnjs.cloudflare.com/ajax/libs/sanitize-html/1.27.5/sanitize-html.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/dompurify/2.2.7/purify.min.js"></script>

AخA
 
<script src="https://cdnjs.cloudflare.com/ajax/libs/sanitize-html/1.27.5/sanitize-html.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/dompurify/2.2.7/purify.min.js"></script>

Tests:

DOMPurify
const testString = ` Welcome to safeland <a href='javascript:alert(1)'>This is fun</a> <img src=x onerror=console.log(1)> ` const result = DOMPurify.sanitize(testString)
const testString = `
Welcome to safeland 
<a href='javascript:alert(1)'>This is fun</a> 
<img src=x onerror=console.log(1)>
`
const result = DOMPurify.sanitize(testString)
Sanitize HTML
const testString = ` Welcome to safeland <a href='javascript:alert(1)'>This is fun</a> <img src=x onerror=console.log(1)> ` const result = sanitizeHtml(testString)
const testString = `
Welcome to safeland 
<a href='javascript:alert(1)'>This is fun</a> 
<img src=x onerror=console.log(1)>
`
const result = sanitizeHtml(testString)

Rendered benchmark preparation results:

Suite status: <idle, ready to run>

Previous results

Experimental features:

Memory measurements supported only in Chrome.
For precise memory measurements Chrome must be launched with --enable-precise-memory-info flag.
More information: Monitoring JavaScript Memory

Test case name	Result
DOMPurify
Sanitize HTML

Fastest: N/A

Slowest: N/A

Latest run results:

Run details: (Test run date: 3 days ago)

User agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36

Browser/OS: Chrome 123 on Mac OS X 10.15.7

View result in a separate tab

Test name	Executions per second
DOMPurify	25967.2 Ops/sec
Sanitize HTML	134564.8 Ops/sec

Autogenerated LLM Summary (model llama3.2:3b, generated 6 months ago):

Benchmark Overview

MeasureThat.net is a platform that allows users to create and run JavaScript microbenchmarks. The provided benchmark compares the performance of two popular libraries: DOMPurify and sanitize-html.

Library Descriptions

DOMPurify: DOMPurify is a library that helps remove malicious content from HTML strings, making it safer for consumption by web browsers. It provides a simple API to sanitize user-generated content.
sanitize-html: sanitize-html is another popular library for sanitizing HTML content. It offers more advanced features than DOMPurify, including support for custom whitelisting and blacklisting of tags, attributes, and values.

Comparison of Options

The benchmark compares the performance of two options:

DOMPurify vs Sanitize HTML: The two libraries have different approaches to sanitizing HTML content.
- DOMPurify: Uses a simple, rules-based approach to remove malicious tags and attributes from the input string.
- Sanitize HTML: Employs a more advanced approach that uses regular expressions and custom whitelisting/blacklisting to sanitize the input string.

Pros and Cons of Each Approach

DOMPurify:
- Pros:
  - Simple, lightweight implementation
  - Fast execution times
- Cons:
  - May not catch all malicious content (e.g., JavaScript injections)
Sanitize HTML:
- Pros:
  - More comprehensive sanitization capabilities
  - Customizable whitelisting/blacklisting
- Cons:
  - Heavier implementation compared to DOMPurify
  - May have slower execution times

Special JS Features/Syntax

In this benchmark, the test users special JavaScript features/syntax:

JavaScript:alert(1): Used in the onerror attribute of an image tag.
\r\n: Used to create a newline character in the input string.

Other Considerations

The benchmark uses Chrome 129 as the test browser, which may affect the results due to its version-specific features and performance characteristics.
The device platform is specified as Desktop, but the results are not explicitly verified for desktop vs. mobile devices.

Alternatives

If you're interested in exploring alternative libraries or approaches for sanitizing HTML content, some popular options include:

Cheerio: A lightweight jQuery-like library for parsing and manipulating HTML documents.
DOMParser: A native JavaScript API for parsing and transforming HTML documents.
HTML Sanitizer by WAPForce: Another commercial-grade HTML sanitizer that offers advanced features and customization options.

Note that the choice of library or approach depends on your specific use case, performance requirements, and level of control over sanitization logic.

LLMs can make mistakes. Check important info.

**Benchmark Overview**

MeasureThat.net is a platform that allows users to create and run JavaScript microbenchmarks. The provided benchmark compares the performance of two popular libraries: DOMPurify and sanitize-html.

**Library Descriptions**

1. **DOMPurify**: DOMPurify is a library that helps remove malicious content from HTML strings, making it safer for consumption by web browsers. It provides a simple API to sanitize user-generated content.
2. **sanitize-html**: sanitize-html is another popular library for sanitizing HTML content. It offers more advanced features than DOMPurify, including support for custom whitelisting and blacklisting of tags, attributes, and values.

**Comparison of Options**

The benchmark compares the performance of two options:

1. **DOMPurify vs Sanitize HTML**: The two libraries have different approaches to sanitizing HTML content.
	* **DOMPurify**: Uses a simple, rules-based approach to remove malicious tags and attributes from the input string.
	* **Sanitize HTML**: Employs a more advanced approach that uses regular expressions and custom whitelisting/blacklisting to sanitize the input string.

**Pros and Cons of Each Approach**

1. **DOMPurify**:
	* Pros:
		+ Simple, lightweight implementation
		+ Fast execution times
	* Cons:
		+ May not catch all malicious content (e.g., JavaScript injections)
2. **Sanitize HTML**:
	* Pros:
		+ More comprehensive sanitization capabilities
		+ Customizable whitelisting/blacklisting
	* Cons:
		+ Heavier implementation compared to DOMPurify
		+ May have slower execution times

**Special JS Features/Syntax**

In this benchmark, the test users special JavaScript features/syntax:

1. **JavaScript:alert(1)**: Used in the `onerror` attribute of an image tag.
2. **\r\n**: Used to create a newline character in the input string.

**Other Considerations**

* The benchmark uses Chrome 129 as the test browser, which may affect the results due to its version-specific features and performance characteristics.
* The device platform is specified as Desktop, but the results are not explicitly verified for desktop vs. mobile devices.

**Alternatives**

If you're interested in exploring alternative libraries or approaches for sanitizing HTML content, some popular options include:

1. **Cheerio**: A lightweight jQuery-like library for parsing and manipulating HTML documents.
2. **DOMParser**: A native JavaScript API for parsing and transforming HTML documents.
3. **HTML Sanitizer by WAPForce**: Another commercial-grade HTML sanitizer that offers advanced features and customization options.

Note that the choice of library or approach depends on your specific use case, performance requirements, and level of control over sanitization logic.

Related benchmarks:

Dompurify vs sanitize-html (version: 0)

Comparing performance of: DOMPurify vs Sanitize HTML

Created: 4 years ago by: Guest

Jump to the latest result

DOMPurify

Sanitize HTML

Suite status: <idle, ready to run>

Experimental features:

Fastest: N/A

Slowest: N/A

Autogenerated LLM Summary (model llama3.2:3b, generated 6 months ago):