DOMPurify is a JavaScript DOM-only XSS sanitizer for HTML, MathML, and SVG. It takes “dirty” markup and returns cleaned output, stripping dangerous elements and attributes, and it is configurable with hooks. Useful for safely rendering user-provided or untrusted HTML-like content in modern browsers (and can also run server-side with Node.js plus a DOM such as jsdom).
Project status
- DOMPurify (cure53/DOMPurify) appears actively maintained, with upstream and repo activity in the last few days (latest updates on 2026-06-12 through 2026-06-17, and upstream push on 2026-06-17).
- Apparent update cadence is frequent and maintenance-like, with several patch updates landing within about a month (3.4.2 on 2026-04-30, then 3.4.3 to 3.4.11 across roughly mid-May to mid-June).
AI summary generated
Recent updates
3.4.12
DOMPurify 3.4.12 adds allowlisted SVG attributes (including dominant-baseline and text-orientation) and includes security hardening around hook handling and declarative partial updates. The diff shows additional in-place sanitization pre-processing logic intended to prevent edge cases where unsanitized linkage or event-handler-bearing nodes could “leak” during traversal.
SecurityFeatures3.4.11
DOMPurify 3.4.11 focuses on fixing hook configuration leaking when using persistent configuration via setConfig. The code change also tightens hook registration behavior and updates development tooling and dependency versions to address known vulnerabilities and clean up linting/docs.
BreakingSecurity3.4.10
DOMPurify 3.4.10 focuses on internal refactoring and performance tuning. The release also adds a deterministic micro-benchmark harness (npm run bench with --compare) and updates demos/README plus CI/workflow changes to reduce redundant browser testing runs.
Features3.4.9
DOMPurify 3.4.9 focuses on hardening Trusted Types handling and improving sanitization behavior around tricky DOM cases. The code diff shows notable internal changes to how Trusted Types policies are guarded and how the sanitizer avoids problematic document mutations, alongside expanded test coverage and dependency updates.
Security3.4.8
DOMPurify 3.4.8 contains a few targeted fixes, notably around Trusted Types policy handling and template scrubbing behavior. It also updates repository packaging files (including license artifacts) and bumps some dependencies.
3.4.7
DOMPurify 3.4.7 focuses on security hardening around IN_PLACE sanitization and Shadow Roots, plus a fix for permanent hook pollution. The release notes also mention substantial test-suite refactoring and expanded coverage. The code diff additionally shows extra clobbering-protection logic beyond what is explicitly described in the release notes.
Security3.4.6
DOMPurify 3.4.6 focuses on hardening DOM Clobbering defenses for IN_PLACE sanitization, especially in cross-realm and Shadow DOM scenarios. The primary code change improves the internal detection logic for clobbered HTMLFormElement nodes to work reliably across realms.
Security3.4.5
DOMPurify 3.4.5 is a security-focused patch release intended to immediately address an XSS bypass introduced in 3.4.4. The release notes attribute the issue to a new HTML element named `selectedcontent` and state that the bypass has been fixed.
Security3.4.4
DOMPurify 3.4.4 expands the default allow-list and strengthens template-safety and cross-realm handling. The sanitizer now adds specific HTML tags/attributes to defaults, improves SAFE_FOR_TEMPLATES behavior for IN_PLACE sanitization, and improves detection of DOM nodes originating from different window/realms.
SecurityFeatures3.4.3
DOMPurify 3.4.3 focuses on improving Shadow DOM sanitization, including nested Shadow DOM handling, and hardening its SAFE_FOR_TEMPLATES template regexes against ReDoS. The release also updates the CI test matrix to include Node 26, refreshes tooling (Playwright, workflows, fuzzing), and bumps several dependencies.
3.4.2
DOMPurify 3.4.2 fixes an issue related to URI validation for attributes allowed via the ADD_ATTR callback, and corrects source maps that pointed to non-existing files. The release also includes CI/workflow maintenance and added test coverage, along with some dependency bumps.
Security3.4.1
DOMPurify 3.4.1 focuses on hardening sanitizer behavior for specific HTML/SVG edge cases. The release notes call out fixes for custom element on-handler stripping, an XHTML mixed-case bypass, SANITIZE_NAMED_PROPS repeated prefixing, and DOM-clobbering robustness for IN_PLACE.
Security3.4.0
DOMPurify 3.4.0 includes multiple security-focused sanitization fixes, including prototype pollution protections and several mitigations for mXSS scenarios. The release also updates MathML attribute handling and addresses configuration edge cases where function-based ADD_ATTR/ADD_TAGS behavior could leak across sanitizer instances or calls.
Security3.3.3
DOMPurify 3.3.3 includes a small fix related to Node 20 engine handling, plus several internal sanitizer logic changes. The release notes only mention the Node 20 hiccup fix, but the code diff shows multiple behavior changes in attribute/tag validation and SAFE_FOR_XML handling.
3.3.2
DOMPurify 3.3.2 ships security fixes for a jsdom parsing bypass and for prototype pollution when working with custom elements, plus a change to make `_isValidAttribute` configuration parsing less lenient. The code diff also shows broader sanitizer surface-area changes, including expanded allowlists for attributes/tags and URI scheme handling, along with build and tooling modernizations.
BreakingSecurity