The latest articles on Forem by Anupam Pandey (@anupam_pandey_cc55f0ade07). https://forem.com/anupam_pandey_cc55f0ade07 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2734567%2F4b592a19-c610-49aa-bb2b-4285e4820f87.png https://forem.com/anupam_pandey_cc55f0ade07 en Anupam Pandey Wed, 17 Dec 2025 16:33:34 +0000 https://forem.com/anupam_pandey_cc55f0ade07/dompurify-prevent-xss-attack-remove-all-the-script-tag-51mo https://forem.com/anupam_pandey_cc55f0ade07/dompurify-prevent-xss-attack-remove-all-the-script-tag-51mo <h2> Problem </h2> <p>Recently i had to build a feature where i take html content from user and save it in to mongodb and after i had to render that html content in browser.<br> But the problem is that what if user add script file like<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>alert("hacked") </code></pre> </div> <p>into the html content then page got stuck.</p> <h2> Solution </h2> <p>To solve this problem i use a package <a href="https://www.npmjs.com/package/dompurify" rel="noopener noreferrer">dompurify</a> <br> DOMpurify is used to prevent the XSS Attack. It remove all the dangerous tag from html and prevent XSS attack.</p> <p>To prevent we use sanitize method of the DOMpurify<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>import DOMPurify from 'dompurify'; const clean = DOMPurify.sanitize('&lt;math&gt;&lt;mi//xlink:href="data:x,&lt;script&gt;alert(4)&lt;/script&gt;"&gt;') // becomes &lt;math&gt;&lt;mi&gt;&lt;/mi&gt;&lt;/math&gt; </code></pre> </div> <p>If you ask me i always use DOMpurify to clean the html content specially if you get it from api.</p> <p>So Thanks for reading....</p> webdev javascript dompurify programming