Sanitize user HTML safely (DOMPurify + JSDOM)

9078 views

                  import { JSDOM } from 'jsdom';
import createDOMPurify from 'dompurify';

const window = new JSDOM('').window as unknown as Window;
const DOMPurify = createDOMPurify(window);

export function sanitizeHtml(dirty: string) {
  return DOMPurify.sanitize(dirty, {
    ALLOWED_TAGS: ['p', 'b', 'i', 'em', 'strong', 'a', 'code', 'pre', 'ul', 'ol', 'li', 'blockquote'],
    ALLOWED_ATTR: ['href', 'target', 'rel']
  });
}

Letting users paste rich content is a product requirement that can become a security nightmare. I never try to write my own sanitizer. Instead, I run HTML through DOMPurify using JSDOM on the server and keep the allowlist small (minimal tags + attributes). If I need auditability or re-processing later, I store both the raw input and the sanitized output. I also disallow style attributes and inline event handlers, and I strip iframes by default. If embedding is needed, I whitelist specific providers via a separate embed pipeline. The theme is simple: separate ‘what users can submit’ from ‘what we render’, and treat that boundary like a security-critical API.

Mateo Rodriguez

More from Mateo Rodriguez

Sanitize user HTML safely (DOMPurify + JSDOM)

0 Comments

More from Mateo Rodriguez