Question 1

How to allow custom data-* attributes with js-xss?

Accepted Answer

Use the onIgnoreTagAttr handler to check for attributes starting with 'data-' and return them with escaped values, as shown in the README example. This lets you safely include custom attributes without modifying the whitelist extensively.

Question 2

Is js-xss better than DOMPurify for preventing XSS?

Accepted Answer

js-xss offers higher performance and more customization options, but DOMPurify might have better browser integration and a more active community. Choose js-xss if you need fine-grained control; opt for DOMPurify for easier drop-in usage.

Question 3

Can js-xss handle SVG sanitization safely?

Accepted Answer

Yes, but it requires custom configuration since SVG elements and attributes aren't in the default whitelist. You need to manually add them to the whitelist or use onTag handlers, which can be complex and error-prone.

Question 4

What tags are allowed by default in js-xss?

Accepted Answer

The README references a default whitelist via xss.whiteList but doesn't list it explicitly. You must check the source code or documentation to see common safe elements like or

, which may not cover all needs.

Question 5

How to strip all HTML and keep only text with js-xss?

Accepted Answer

Set the whiteList to an empty object and enable stripIgnoreTag and stripIgnoreTagBody options, as shown in the README example. This filters out all tags and their contents, leaving plain text.

Question 6

Is the rawgit URL safe for production browser use?

Accepted Answer

No, the README explicitly warns against using the rawgit URL in production. For browser usage, you should host the library yourself or use a CDN to avoid reliability and security issues.

js-xss

What is js-xss?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions