# DOMPurify [![NPM version](http://img.shields.io/npm/v/dompurify.svg)](https://www.npmjs.org/package/dompurify) DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Spartan, Firefox and Chrome - as well as almost anything else using Blink or WebKit). It doesn't break on IE6 or other legacy browsers. It simply does nothing there. DOMPurify is written by security people who have vast background in web attacks and XSS. Fear not. For more details please also read about our [Security Goals & Threat Model](https://github.com/cure53/DOMPurify/wiki/Security-Goals-&-Threat-Model) ## What does it do? DOMPurify sanitizes HTML and prevents XSS attacks. You can feed DOMPurify with string full of dirty HTML and it will return a string with clean HTML. DOMPurify will strip out everything that contains dangerous HTML and thereby prevent XSS attacks and other nastiness. It's also damn bloody fast. We use the technologies the browser provides and turn them into an XSS filter. The faster your browser, the faster DOMPurify will be. ## How do I use it? It's easy. Just include DOMPurify on your website. ```html ``` Afterwards you can sanitize strings by executing the following code: ```javascript var clean = DOMPurify.sanitize(dirty); ``` If you're using an [AMD](https://github.com/amdjs/amdjs-api/wiki/AMD) module loader like [Require.js](http://requirejs.org/), you can load this script asynchronously as well: ```javascript require(['dompurify'], function(DOMPurify) { var clean = DOMPurify.sanitize(dirty); }); ``` You can also grab the files straight from NPM: _(Note: DOMPurify [doesn't work in Node.js yet](https://github.com/cure53/DOMPurify/issues/29), but runs fine with [Browserify](http://browserify.org/).)_ ```bash npm install dompurify ``` ```javascript var DOMPurify = require('dompurify'); var clean = DOMPurify.sanitize(dirty); ``` ## Is there a demo? Of course there is a demo! [Play with DOMPurify](https://cure53.de/purify) ## Some samples please? How does purified markup look like? Well, [the demo](https://cure53.de/purify) shows it for a big bunch of nasty elements. But let's also show some smaller examples! ```javascript DOMPurify.sanitize(''); // becomes DOMPurify.sanitize(''); // becomes DOMPurify.sanitize('