Benchmark: Dompurify vs sanitize-html (2024-03-16)

HTML Preparation code:

<script src="https://cdnjs.cloudflare.com/ajax/libs/sanitize-html/1.27.5/sanitize-html.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/dompurify/3.0.9/purify.min.js"></script>

AخA
 
<script src="https://cdnjs.cloudflare.com/ajax/libs/sanitize-html/1.27.5/sanitize-html.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/dompurify/3.0.9/purify.min.js"></script>

Tests:

DOMPurify
const testString = ` Welcome to safeland <a href='javascript:alert(1)'>This is fun</a> <img src=x onerror=console.log(1)> ` const result = DOMPurify.sanitize(testString)
const testString = `
Welcome to safeland 
<a href='javascript:alert(1)'>This is fun</a> 
<img src=x onerror=console.log(1)>
`
const result = DOMPurify.sanitize(testString)
Sanitize HTML
const testString = ` Welcome to safeland <a href='javascript:alert(1)'>This is fun</a> <img src=x onerror=console.log(1)> ` const result = sanitizeHtml(testString)
const testString = `
Welcome to safeland 
<a href='javascript:alert(1)'>This is fun</a> 
<img src=x onerror=console.log(1)>
`
const result = sanitizeHtml(testString)

Rendered benchmark preparation results:

Suite status: <idle, ready to run>

Previous results

Experimental features:

Memory measurements supported only in Chrome.
For precise memory measurements Chrome must be launched with --enable-precise-memory-info flag.
More information: Monitoring JavaScript Memory

Test case name	Result
DOMPurify
Sanitize HTML

Fastest: N/A

Slowest: N/A

Latest run results:

Run details: (Test run date: one year ago)

User agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.3.1 Safari/605.1.15

Browser/OS: Safari 17 on Mac OS X 10.15.7

View result in a separate tab

Test name	Executions per second
DOMPurify	40986.0 Ops/sec
Sanitize HTML	191538.1 Ops/sec

Autogenerated LLM Summary (model llama3.2:3b, generated 6 months ago):

Let's break down the benchmark and explain what's being tested.

Benchmark Overview

The benchmark is comparing two HTML sanitization libraries: sanitize-html (also known as Sanitize HTML) and DOMPurify. The goal is to measure which library performs better in terms of speed.

Options Compared

There are only two options being compared:

Sanitize HTML: This library is used for sanitizing user-inputted HTML strings to prevent XSS (Cross-Site Scripting) attacks.
DOMPurify: This library is also used for sanitizing user-inputted HTML strings, but it has additional features such as detecting and removing specific types of tags.

Pros and Cons

Here are the pros and cons of each approach:

Sanitize HTML:

Pros:

Simple and lightweight
Easy to use
Fast

Cons:

May not detect all possible XSS attacks
Does not provide detailed information about the sanitized HTML

DOMPurify:

Pros:

More comprehensive security features (e.g., detects and removes specific types of tags)
Provides detailed information about the sanitized HTML

Cons:

Larger and heavier than Sanitize HTML
More complex to use

Other Considerations

Both libraries are designed to work with JavaScript, but they have different implementation details. For example, DOMPurify uses a more aggressive approach to sanitizing HTML, which may impact performance.

Library Used in Test Case

In the test case, both sanitize-html and DOMPurify libraries are used. The Sanitize HTML library is included in the HTML preparation code, while the DOMPurify library is referenced in the JavaScript preparation code using a script tag.

Special JS Feature or Syntax

The test cases use a special syntax to create a malicious HTML string that exploits vulnerabilities in the sanitization process. This is done to simulate real-world XSS attacks and measure which library can handle them better.

In summary, this benchmark compares two popular HTML sanitization libraries: Sanitize HTML and DOMPurify. The results provide insights into which library performs better in terms of speed and security features.

Other Alternatives

If you're interested in exploring alternative options, here are a few notable ones:

HTML-Parse: A lightweight JavaScript library for parsing and sanitizing HTML.
js-xss: A simple JavaScript library for detecting and preventing XSS attacks.
OWASP ESAPI: A comprehensive security framework that includes a sanitizer component.

Keep in mind that each alternative has its own strengths and weaknesses, and the choice of which one to use depends on your specific requirements and constraints.

LLMs can make mistakes. Check important info.

Let's break down the benchmark and explain what's being tested.

**Benchmark Overview**

The benchmark is comparing two HTML sanitization libraries: `sanitize-html` (also known as Sanitize HTML) and `DOMPurify`. The goal is to measure which library performs better in terms of speed.

**Options Compared**

There are only two options being compared:

1. **Sanitize HTML**: This library is used for sanitizing user-inputted HTML strings to prevent XSS (Cross-Site Scripting) attacks.
2. **DOMPurify**: This library is also used for sanitizing user-inputted HTML strings, but it has additional features such as detecting and removing specific types of tags.

**Pros and Cons**

Here are the pros and cons of each approach:

**Sanitize HTML:**

Pros:

* Simple and lightweight
* Easy to use
* Fast

Cons:

* May not detect all possible XSS attacks
* Does not provide detailed information about the sanitized HTML

**DOMPurify:**

Pros:

* More comprehensive security features (e.g., detects and removes specific types of tags)
* Provides detailed information about the sanitized HTML

Cons:

* Larger and heavier than Sanitize HTML
* More complex to use

**Other Considerations**

**Library Used in Test Case**

In the test case, both `sanitize-html` and `DOMPurify` libraries are used. The Sanitize HTML library is included in the HTML preparation code, while the DOMPurify library is referenced in the JavaScript preparation code using a script tag.

**Special JS Feature or Syntax**

**Other Alternatives**

If you're interested in exploring alternative options, here are a few notable ones:

1. **HTML-Parse**: A lightweight JavaScript library for parsing and sanitizing HTML.
2. **js-xss**: A simple JavaScript library for detecting and preventing XSS attacks.
3. **OWASP ESAPI**: A comprehensive security framework that includes a sanitizer component.

Keep in mind that each alternative has its own strengths and weaknesses, and the choice of which one to use depends on your specific requirements and constraints.

Related benchmarks:

Dompurify vs sanitize-html (2024-03-16) (version: 0)

Comparing performance of: DOMPurify vs Sanitize HTML

Created: one year ago by: Guest

Jump to the latest result

DOMPurify

Sanitize HTML

Suite status: <idle, ready to run>

Experimental features:

Fastest: N/A

Slowest: N/A

Autogenerated LLM Summary (model llama3.2:3b, generated 6 months ago):