@humanspeak/svelte-purify

A tiny, friendly sanitizer for Svelte that keeps your HTML shiny and safe using DOMPurify. SSR-ready by default.

![NPM version](https://www.npmjs.com/package/@humanspeak/svelte-purify)
![Build Status](https://github.com/humanspeak/svelte-purify/actions/workflows/npm-publish.yml)
![Coverage Status](https://coveralls.io/github/humanspeak/svelte-purify?branch=main)
![License](https://github.com/humanspeak/svelte-purify/blob/main/LICENSE)
![Downloads](https://www.npmjs.com/package/@humanspeak/svelte-purify)
![CodeQL](https://github.com/humanspeak/svelte-purify/actions/workflows/codeql.yml)
![Install size](https://packagephobia.com/result?p=@humanspeak/svelte-purify)
![Code Style: Trunk](https://trunk.io)
![TypeScript](http://www.typescriptlang.org/)
![Types](https://www.npmjs.com/package/@humanspeak/svelte-purify)
![Maintenance](https://github.com/humanspeak/svelte-purify/graphs/commit-activity)

Features

- 🚀 Fast and tiny: DOMPurify under the hood, minimal wrapper
- 🔒 XSS protection: strips scripts, unsafe URLs, and sneaky attributes
- 🧰 Options passthrough: you control DOMPurify via options
- 🧭 SSR-ready: default component works on server and client
- 🧪 Tested: unit tests with Vitest/JSDOM
- 🧑‍💻 Full TypeScript: proper types for options and props
- 🧿 Svelte 5 runes-friendly: clean, modern Svelte API

Installation

``bash npm i -S @humanspeak/svelte-purify

`or`


pnpm add @humanspeak/svelte-purify
or

yarn add @humanspeak/svelte-purify


Basic Usage
$3

`svelte



`
$3
`svelte

`
$3
You can render UI before and after the sanitized HTML. Each hook receives the sanitized HTML length as a number.
`svelte
    {html}
    preHtml={(len) => <>Sanitized length: {len}}
    postHtml={(len) => <> • {len} chars}
/>
`
Options (DOMPurify)
Pass any DOMPurify.sanitize options. We don’t hide anything—use the full power of DOMPurify.
`svelte

`
Note: The component returns sanitized HTML as a string (not DOM nodes).
Props
| Component      | Prop        | Type                                       | Description                                    |
| -------------- | ----------- | ------------------------------------------ | ---------------------------------------------- |
| SveltePurify | html      | string                                   | Raw HTML to sanitize and render                |
|                | options   | Parameters[1] | DOMPurify options (all supported)              |
|                | maxLength | number                                   | If set, truncates the sanitized HTML string    |
|                | preHtml   | Snippet<[number]>                        | Renders before HTML; receives sanitized length |
|                | postHtml  | Snippet<[number]>                        | Renders after HTML; receives sanitized length  |
Exports
`ts
import { SveltePurify } from '@humanspeak/svelte-purify'
`
- SveltePurify: SSR-friendly sanitizer component
Security
This library delegates sanitization to DOMPurify, a battle-tested sanitizer. It removes script tags, event handler attributes (like onerror), and unsafe URLs (javascript:), among many other protections.
Examples
Strip a specific tag with DOMPurify options:
`svelte

`
Allow an extra tag:
`svelte
    html=""
    options={{ ADD_TAGS: ['iframe'] }}
/>
``
License
MIT © Humanspeak, Inc.
Credits
Made with ❤️ by Humanspeak
Special thanks to @jill64 — her years of Svelte contributions taught me so much and inspired this work.

`@humanspeak/svelte-purify`

A tiny, friendly sanitizer for Svelte that keeps your HTML shiny and safe using DOMPurify. SSR-ready by default.

![NPM version](https://www.npmjs.com/package/@humanspeak/svelte-purify) ![Build Status](https://github.com/humanspeak/svelte-purify/actions/workflows/npm-publish.yml) ![Coverage Status](https://coveralls.io/github/humanspeak/svelte-purify?branch=main) ![License](https://github.com/humanspeak/svelte-purify/blob/main/LICENSE) ![Downloads](https://www.npmjs.com/package/@humanspeak/svelte-purify) ![CodeQL](https://github.com/humanspeak/svelte-purify/actions/workflows/codeql.yml) ![Install size](https://packagephobia.com/result?p=@humanspeak/svelte-purify) ![Code Style: Trunk](https://trunk.io) ![TypeScript](http://www.typescriptlang.org/) ![Types](https://www.npmjs.com/package/@humanspeak/svelte-purify) ![Maintenance](https://github.com/humanspeak/svelte-purify/graphs/commit-activity)

`Features`

- 🚀 Fast and tiny: DOMPurify under the hood, minimal wrapper - 🔒 XSS protection: strips scripts, unsafe URLs, and sneaky attributes - 🧰 Options passthrough: you control DOMPurify via options - 🧭 SSR-ready: default component works on server and client - 🧪 Tested: unit tests with Vitest/JSDOM - 🧑‍💻 Full TypeScript: proper types for options and props - 🧿 Svelte 5 runes-friendly: clean, modern Svelte API

`Installation`

``bash npm i -S @humanspeak/svelte-purify

`or`


pnpm add @humanspeak/svelte-purify
or

yarn add @humanspeak/svelte-purify
`
Basic Usage
$3
`svelte


`
$3
`svelte

`
$3
You can render UI before and after the sanitized HTML. Each hook receives the sanitized HTML length as a number.
`svelte
    {html}
    preHtml={(len) => <>Sanitized length: {len}}
    postHtml={(len) => <> • {len} chars}
/>
`
Options (DOMPurify)
Pass any DOMPurify.sanitize options. We don’t hide anything—use the full power of DOMPurify.
`svelte

`
Note: The component returns sanitized HTML as a string (not DOM nodes).
Props
| Component      | Prop        | Type                                       | Description                                    |
| -------------- | ----------- | ------------------------------------------ | ---------------------------------------------- |
| SveltePurify | html      | string                                   | Raw HTML to sanitize and render                |
|                | options   | Parameters[1] | DOMPurify options (all supported)              |
|                | maxLength | number                                   | If set, truncates the sanitized HTML string    |
|                | preHtml   | Snippet<[number]>                        | Renders before HTML; receives sanitized length |
|                | postHtml  | Snippet<[number]>                        | Renders after HTML; receives sanitized length  |
Exports
`ts
import { SveltePurify } from '@humanspeak/svelte-purify'
`
- SveltePurify: SSR-friendly sanitizer component
Security
This library delegates sanitization to DOMPurify, a battle-tested sanitizer. It removes script tags, event handler attributes (like onerror), and unsafe URLs (javascript:), among many other protections.
Examples
Strip a specific tag with DOMPurify options:
`svelte

`
Allow an extra tag:
`svelte
    html=""
    options={{ ADD_TAGS: ['iframe'] }}
/>
``
License
MIT © Humanspeak, Inc.
Credits
Made with ❤️ by Humanspeak
Special thanks to @jill64 — her years of Svelte contributions taught me so much and inspired this work.

@humanspeak/svelte-purify

@humanspeak/svelte-purify

Features

Installation

`or`

or

Basic Usage

$3

`$3`

`$3`

`Options (DOMPurify)`

`Props`

`Exports`

`Security`

`Examples`

License

Credits

`@humanspeak/svelte-purify`

`@humanspeak/svelte-purify`

`Features`

`Installation`

`or`

or

Basic Usage

$3

`$3`

`$3`

`Options (DOMPurify)`

`Props`

`Exports`

`Security`

`Examples`

License

Credits