DOMPurify Config Playground

Test DOMPurify configs interactively. Paste HTML, pick a preset, and compare raw rendering (left) against DOMPurify.sanitize() output (right). All output is contained in sandboxed iframes so nothing escapes.

Raw (no sanitisation)

Rendered (sandboxed iframe, so overlays/alerts cannot escape):
HTML string passed to innerHTML:

    

DOMPurify output

Rendered (also sandboxed):
HTML string returned by DOMPurify.sanitize():

      
Config used:

    

Fingerprinter

Probe-tagged HTML to deduce a target's DOMPurify config when you cannot see the source. Each probe carries id="P-..."; whichever ids and feature attributes survive the sanitiser tell you what is allowed. See dompurify-fingerprinting.md for the interpretation guide.

Real-world configs (from production apps)

Configs lifted from popular open-source projects. Red border = this real-world config lets the example payload through. Green = the real-world config catches it. See dompurify-real-world-configs.md for sources.

Teaching examples

Synthetic configs designed to isolate a single misconfig pattern. Every preset has been verified by running it through DOMPurify in Node - the description matches the actual sanitised output.