← Back to Blog

HTML Sanitization: DOMPurify, sanitize-html, and Server-Side Approaches

May 24, 2026 3 min read By CodeTidy Team

The Hidden Dangers of Unsanitized HTML

We've all been there - you're working on a project, and you need to display user-generated content on your website. You think to yourself, "What's the worst that could happen?" But the truth is, unsanitized HTML can lead to devastating consequences, including cross-site scripting (XSS) attacks and malicious code injection. In this article, we'll explore the importance of HTML sanitization and discuss three popular approaches: DOMPurify, sanitize-html, and server-side sanitization.

Table of Contents

  • Understanding the Risks of Unsanitized HTML
  • Client-Side Sanitization with DOMPurify
  • Server-Side Sanitization with sanitize-html
  • The Allow-List vs Deny-List Debate
  • Trusted Types: A New Approach to Sanitization
  • Key Takeaways
  • FAQ

Understanding the Risks of Unsanitized HTML

When users input HTML content, it can contain malicious code that can compromise your website's security. For example, an attacker could inject a script that steals user data or takes control of the user's session. This is where HTML sanitization comes in - the process of removing or escaping malicious code from user-generated HTML content.

Client-Side Sanitization with DOMPurify

DOMPurify is a popular client-side sanitization library that uses a deny-list approach to remove malicious code from HTML content. Here's an example of how to use DOMPurify in a JavaScript application:

import DOMPurify from 'dompurify';

const dirtyHtml = '<script>alert("XSS attack!")</script>';
const cleanHtml = DOMPurify.sanitize(dirtyHtml);

console.log(cleanHtml); // Output: ""

As you can see, DOMPurify effectively removes the malicious script tag from the HTML content.

Server-Side Sanitization with sanitize-html

sanitize-html is a popular server-side sanitization library for Node.js applications. It uses a allow-list approach to sanitize HTML content, allowing you to specify which tags and attributes are allowed. Here's an example of how to use sanitize-html in a Node.js application:

const sanitizeHtml = require('sanitize-html');

const dirtyHtml = '<script>alert("XSS attack!")</script>';
const cleanHtml = sanitizeHtml(dirtyHtml, {
  allowedTags: ['p', 'img', 'a'],
  allowedAttributes: ['src', 'href']
});

console.log(cleanHtml); // Output: ""

As you can see, sanitize-html effectively removes the malicious script tag from the HTML content, allowing only the specified tags and attributes.

The Allow-List vs Deny-List Debate

When it comes to HTML sanitization, there are two approaches: allow-list and deny-list. An allow-list approach specifies which tags and attributes are allowed, while a deny-list approach specifies which tags and attributes are not allowed. We recommend using an allow-list approach, as it is more secure and easier to maintain.

Trusted Types: A New Approach to Sanitization

Trusted Types is a new approach to HTML sanitization that uses a combination of allow-list and deny-list approaches. It allows you to specify which tags and attributes are allowed, while also denying specific malicious code patterns. We believe that Trusted Types is the future of HTML sanitization and recommend using it in your applications.

Key Takeaways

  • HTML sanitization is crucial for preventing XSS attacks and malicious code injection.
  • Client-side sanitization with DOMPurify is effective, but server-side sanitization with sanitize-html is more secure.
  • Use an allow-list approach to HTML sanitization for better security and maintainability.
  • Trusted Types is a new approach to HTML sanitization that offers better security and flexibility.

FAQ

Q: What is the difference between client-side and server-side sanitization?

A: Client-side sanitization occurs on the client's browser, while server-side sanitization occurs on the server. Server-side sanitization is more secure, as it prevents malicious code from ever reaching the client's browser.

Q: Which approach is better, allow-list or deny-list?

A: We recommend using an allow-list approach, as it is more secure and easier to maintain.

Q: Is Trusted Types a replacement for DOMPurify and sanitize-html?

A: No, Trusted Types is a new approach to HTML sanitization that can be used in conjunction with DOMPurify and sanitize-html.

Try These Tools

HTML Entity Encoder

Encode and decode HTML entities

HTML Beautifier

Format and beautify HTML markup

AI agent tools available. The CodeTidy MCP Server gives Claude, Cursor, and other AI agents access to 60+ developer tools. One command: npx @codetidy/mcp