A markdown-it plugin that sanitizes html_block and html_inline tokens using DOMPurify.
npm install markdown-it-purifierA markdown-it plugin that sanitizes html_block and html_inline tokens using DOMPurify.
This helps prevent XSS and ensures only safe HTML is rendered from Markdown.
- Sanitizes embedded HTML inside Markdown
- Supports html_block and html_inline tokens
- Passes options directly to DOMPurify (ADD_TAGS, ALLOWED_TAGS, etc.)
- Easy to use and minimal
``bash`
npm install markdown-it-purifier dompurify
ā ļø You must install dompurify and markdown-it yourself ā this plugin declares them as peerDependencies.
`js
import MarkdownIt from 'markdown-it'
import markdownItPurifier from 'markdown-it-purifier'
const md = new MarkdownIt({ html: true })
md.use(markdownItPurifier, {
// These options are passed directly to DOMPurify
ADD_TAGS: ['iframe'],
ADD_ATTR: ['src', 'width', 'height', 'allow', 'allowfullscreen']
})
const result = md.render(
)`
console.log(result)
You can pass any DOMPurify options directly into this plugin.
* To add tags or attributes, use ADD_TAGS / ADD_ATTR.ALLOWED_TAGS
* To fully override the whitelist, use / ALLOWED_ATTR`.
ā ļø When you use ALLOWED_TAGS or ALLOWED_ATTR, DOMPurify will not merge with the default list.
You must specify all tags or attributes you want to allow.
This plugin uses DOMPurify internally and does not maintain its own allowlist.
Make sure to review the DOMPurify security docs if you're processing untrusted user input.
MIT