Home / cure53 / DOMPurify
Repository Analysis

cure53/DOMPurify

DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks. Demo:

0.7 Likely human-written View on GitHub
0.7
Adjusted Score
0.7
Raw Score
100%
Time Factor
2026-05-30
Last Push
17,048
Stars
JavaScript
Language
33,399
Lines of Code
78
Files
18
Pattern Hits
2026-05-31
Scan Date

Score History

Severity Breakdown

CRITICAL 0HIGH 0MEDIUM 3LOW 15

Pattern Findings

18 matches across 4 categories. Click a row to expand file-level details.

Over-Commented Block14 hits · 14 pts
SeverityFileLineSnippet
LOWREADME.md261
LOWtest/test-suite.js3241 }
LOWtest/test-suite.js3441 '<svg></svg>',
LOWtest/test-suite.js3841 assert.equal(
LOWtest/test-suite.js3961 //
LOWtest/test-suite.js4161 assert.equal(triggered, false, 'no XSS on native insertion');
LOWtest/test-suite.js4441 // an attack surface. childNodes / nodeType / shadowRoot etc. can be
LOWtest/test-suite.js4641 // 1. Engine behaviour: not every name is clobberable via
LOWtest/fuzz/sanitize.fast-check.js261 verbose: true,
LOWtest/fuzz/sanitize.fast-check.js341 verbose: true,
LOW.github/workflows/codeql-analysis.yml61
LOW.github/workflows/build-and-test-skip.yml1name: Build & Test
LOWsrc/purify.ts1221 element.attributes !== getAttributes(element) ||
LOWsrc/purify.ts1861 // Realm-safe check (GHSA-hpcv-96wg-7vj8): use nodeType-based
Decorative Section Separators2 hits · 6 pts
SeverityFileLineSnippet
MEDIUM.github/dependabot.yml61 # ---------------------------------------------------------------------
MEDIUM.github/dependabot.yml70 # ---------------------------------------------------------------------
AI Slop Vocabulary1 hit · 3 pts
SeverityFileLineSnippet
MEDIUMtest/test-suite.js4654 // failed on some engine. The robust pattern is to ask the
Hyper-Verbose Identifiers1 hit · 1 pts
SeverityFileLineSnippet
LOWtest/bootstrap-test-suite.js50 function loadDOMPurifyWithSanityCheck(