DOMPurify is a JavaScript DOM-only XSS sanitizer for HTML, MathML, and SVG. It takes “dirty” markup and returns cleaned output, stripping dangerous elements and attributes, and it is configurable with hooks. Useful for safely rendering user-provided or untrusted HTML-like content in modern browsers (and can also run server-side with Node.js plus a DOM such as jsdom).
Project status
- DOMPurify appears actively maintained, with multiple recent GitHub updates in May 2026 (3.4.5 on 2026-05-18, 3.4.6 on 2026-05-26, 3.4.7 on 2026-05-27), indicating ongoing security-focused work.
- The apparent update cadence is roughly weekly, with two closely spaced updates (3.4.6 and 3.4.7) late in the month, suggesting a steady stream of incremental hardening and follow-up fixes.
AI summary generated Today
Recent updates
3.4.7
6 days agoDOMPurify 3.4.7 focuses on security hardening around IN_PLACE sanitization and Shadow Roots, plus a fix for permanent hook pollution. The release notes also mention substantial test-suite refactoring and expanded coverage. The code diff additionally shows extra clobbering-protection logic beyond what is explicitly described in the release notes.
Security3.4.6
1 week agoDOMPurify 3.4.6 focuses on hardening DOM Clobbering defenses for IN_PLACE sanitization, especially in cross-realm and Shadow DOM scenarios. The primary code change improves the internal detection logic for clobbered HTMLFormElement nodes to work reliably across realms.
Security3.4.5
2 weeks agoDOMPurify 3.4.5 is a security-focused patch release intended to immediately address an XSS bypass introduced in 3.4.4. The release notes attribute the issue to a new HTML element named `selectedcontent` and state that the bypass has been fixed.
Security3.4.4
2 weeks agoDOMPurify 3.4.4 expands the default allow-list and strengthens template-safety and cross-realm handling. The sanitizer now adds specific HTML tags/attributes to defaults, improves SAFE_FOR_TEMPLATES behavior for IN_PLACE sanitization, and improves detection of DOM nodes originating from different window/realms.
SecurityFeatures3.4.3
2 weeks agoDOMPurify 3.4.3 focuses on improving Shadow DOM sanitization, including nested Shadow DOM handling, and hardening its SAFE_FOR_TEMPLATES template regexes against ReDoS. The release also updates the CI test matrix to include Node 26, refreshes tooling (Playwright, workflows, fuzzing), and bumps several dependencies.
3.4.2
1 month agoDOMPurify 3.4.2 fixes an issue related to URI validation for attributes allowed via the ADD_ATTR callback, and corrects source maps that pointed to non-existing files. The release also includes CI/workflow maintenance and added test coverage, along with some dependency bumps.
Security3.4.1
1 month agoDOMPurify 3.4.1 focuses on hardening sanitizer behavior for specific HTML/SVG edge cases. The release notes call out fixes for custom element on-handler stripping, an XHTML mixed-case bypass, SANITIZE_NAMED_PROPS repeated prefixing, and DOM-clobbering robustness for IN_PLACE.
Security3.4.0
1 month agoDOMPurify 3.4.0 includes multiple security-focused sanitization fixes, including prototype pollution protections and several mitigations for mXSS scenarios. The release also updates MathML attribute handling and addresses configuration edge cases where function-based ADD_ATTR/ADD_TAGS behavior could leak across sanitizer instances or calls.
Security3.3.3
2 months agoDOMPurify 3.3.3 includes a small fix related to Node 20 engine handling, plus several internal sanitizer logic changes. The release notes only mention the Node 20 hiccup fix, but the code diff shows multiple behavior changes in attribute/tag validation and SAFE_FOR_XML handling.
3.3.2
2 months agoDOMPurify 3.3.2 ships security fixes for a jsdom parsing bypass and for prototype pollution when working with custom elements, plus a change to make `_isValidAttribute` configuration parsing less lenient. The code diff also shows broader sanitizer surface-area changes, including expanded allowlists for attributes/tags and URI scheme handling, along with build and tooling modernizations.
BreakingSecurity