DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks. Demo:
I plan to allow style tags and attributes through, but I do want to strip out any security vulnerabilities from them, such as any expression or javascript: use as discussed here.
Why? Is MSIE6 part of your threat model? If so, DOMPurify won't work anyway and for no other browser, those kinds of sanitizations are actually needed.
I plan to allow style tags and attributes through, but I do want to strip out any security vulnerabilities from them, such as any
expression
orjavascript:
use as discussed here.How can that be achieved in dompurify?