stripXSS
Strips potentially dangerous HTML tags and attributes that could lead to XSS. This is a basic sanitizer, not a replacement for full HTML sanitization libraries.
Note: This is a basic protection. For real-world applications, it's recommended to use well-tested libraries like DOMPurify or sanitize-html.
DOMPurify sanitize-html1/**
2 * Strips potentially dangerous HTML tags and attributes that could lead to XSS.
3 * This is a basic sanitizer, not a replacement for full HTML sanitization libraries.
4 *
5 * @param input - The input HTML string.
6 * @returns A sanitized string with potentially dangerous tags/attributes removed.
7 */
8export function stripXSS(input: string): string {
9 return input
10 // Remove script/style/iframe tags entirely
11 .replace(/<script[\s\S]*?>[\s\S]*?<\/script>/gi, '')
12 .replace(/<style[\s\S]*?>[\s\S]*?<\/style>/gi, '')
13 .replace(/<iframe[\s\S]*?>[\s\S]*?<\/iframe>/gi, '')
14 // Remove inline event handlers like onclick=
15 .replace(/\son\w+="[^"]*"/gi, '')
16 .replace(/\son\w+='[^']*'/gi, '')
17 // Remove javascript: and data: protocols in href/src
18 .replace(/\s(href|src)\s*=\s*(['"])\s*(javascript|data):[^'"]*\2/gi, '')
19 // Remove expressions in CSS
20 .replace(/expression\s*\([^)]*\)/gi, '');
21}Removes High-Risk Tags Completely
Eliminates entire
<script>,<style>, and<iframe>blocks, which are common vectors for XSS attacks.Blocks Inline Event Handlers
Strips attributes like
onclick,onerror, and other event bindings that can execute arbitrary scripts.Neutralizes Dangerous Protocols
Detects and removes
javascript:anddata:URLs inhrefandsrcattributes to prevent script execution through links or media sources.Filters CSS-Based Attacks
Removes
expression(...)usage in inline styles, which can trigger JavaScript execution in legacy browsers.Lightweight and Dependency-Free
Offers a minimalistic XSS mitigation solution without requiring external libraries or runtime dependencies.
Tests | Examples
1test('stripXSS - removes <script> tags', () => {
2 const input = '<div>Hello<script>alert("XSS")</script>World</div>';
3 const result = stripXSS(input);
4 expect(result).toBe('<div>HelloWorld</div>');
5});
6
7test('stripXSS - removes inline event handlers', () => {
8 const input = '<button onclick="evil()">Click me</button>';
9 const result = stripXSS(input);
10 expect(result).toBe('<button>Click me</button>');
11});
12
13test('stripXSS - strips javascript: links', () => {
14 const input = '<a href="javascript:alert(1)">Click</a>';
15 const result = stripXSS(input);
16 expect(result).toBe('<a>Click</a>');
17});
18
19test('stripXSS - removes iframe and style tags', () => {
20 const input = '<style>.hidden{display:none;}</style><iframe src="evil.com"></iframe>';
21 const result = stripXSS(input);
22 expect(result).toBe('');
23});
24
25test('stripXSS - strips expression in CSS', () => {
26 const input = '<div style="width: expression(alert(\'XSS\'))">Text</div>';
27 const result = stripXSS(input);
28 expect(result).toContain('Text');
29});Common Use Cases
Basic Input Sanitization for Comments/Posts
Clean user-submitted HTML in forums, blogs, or chat applications before rendering.
Previewing User-Generated Content
Strip potentially harmful HTML from input while allowing plain text or partial markup in real-time previews.
Sanitizing HTML Snippets Before Insertion
Prevent DOM-based XSS by cleaning HTML snippets before appending them into the document via
.innerHTML.Moderate Security Contexts
Use in applications where full HTML support isn't required, and simpler sanitization is sufficient (e.g., internal tools).
Fallback When Full Sanitization Libraries Are Not Available
Serve as a stopgap when libraries like DOMPurify or sanitize-html aren't an option.