Themis VS DOMPurify

Compare Themis vs DOMPurify and see what are their differences.


Easy to use cryptographic framework for data protection: secure messaging with forward secrecy and secure data storage. Has unified APIs across 14 platforms. (by cossacklabs)


DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks. Demo: (by cure53)
Our great sponsors
  • - Download’s Tech Salary Report
  • SonarLint - Clean code begins in your IDE with SonarLint
  • InfluxDB - Build time-series-based applications quickly and at scale.
  • Scout APM - Truly a developer’s best friend
Themis DOMPurify
2 25
1,600 9,728
1.3% -
6.9 8.8
4 days ago 11 days ago
C JavaScript
Apache License 2.0 GNU General Public License v3.0 or later
The number of mentions indicates the total number of mentions that we've tracked plus the number of user suggested alternatives.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.


Posts with mentions or reviews of Themis. We have used some of these posts to build our list of alternatives and similar projects. The last one was on 2021-05-12.
  • Backstage: cryptographic R&D internship at Cossack Labs
    4 projects | | 12 May 2021
    Now, the real world work starts. We introduce interns to the world of popular cryptographic libraries, help them to make their first OSS contributions, and let them practice with our cryptographic library Themis which provides a high-level crypto API on 14 languages.


Posts with mentions or reviews of DOMPurify. We have used some of these posts to build our list of alternatives and similar projects. The last one was on 2022-08-01.
  • Storing Rich Text from ReactJS Editor
    2 projects | | 1 Aug 2022
    I'm assuming JavaScript (or TypeScript) is the desired language here as you're using React. DOMPurify would work client-side and also with Nodejs if you have a JS backend that you use to to interact with Postgres (which would naturally be safer place to handle the sanitation compared to client-side). To be extra cautious, sanitising the user input both when writing and printing would be done
  • Displaying WYSIWYG editor's output with React
    2 projects | | 6 Jul 2022 or similar libraries can actually do the escaping themselves, but you will be able to set what tags you allow or what not to allow. The list of allowed tags needs to be similar to what you allow in the CKEditor. By using this library to sanitize the input, you will be able to actually use dangerouslySetHtml without issues
  • is it recomended to use html templates instead of .innerHTML
    2 projects | | 21 May 2022
  • Do you trust the Obsidian company?
    8 projects | | 21 Apr 2022
    DOMPurify [Apache 2.0] or [Mozilla 2.0]
  • Building a Serverless Application with Next.js and CockroachDB!
    7 projects | | 13 Mar 2022
    To purify the content inside of our input fields, let's use dompurify.
  • How to choose a third party package
    6 projects | | 4 Dec 2021
    As mentioned in Fit your need, many packages try to solve a general problem (thus the size of the package is large). You may only need a small part of the package. Sometimes, your problem is unique and there are no existing third party packages out there that solve it. In those cases, it's a great time for you to do it yourself. I found myself in the early days in the industry spending much time finding a third party package to help me build features. But over time, I more rarely used external packages for my daily tasks. It doesn't mean that I always reinvent the wheel. It means that I know what I am doing and I can seek help from the community when I truly need to (for example I will never sanitize user input by myself, but use DOMPurify)
  • VSCode built with jQuery?
    2 projects | | 17 Oct 2021
  • How To Parse and Render Markdown In Vuejs
    6 projects | | 26 Aug 2021
    Vue does not have as much support for Vue as there is for React. Examples are markdown-it, Remark.js, marked.js. But hopefully in the future, there should be more support, and after much research, I picked marked.js because it has the most stars and has zero vulnerability. Marked does not sanitize (meaning it does not secure HTML documents from attacks like cross-site scripting (XSS) ) marked output HTML as that feature is deprecated and has vulnerability but however, it supports the use of other libraries to secure output HTML such as DOMPurify (recommended), sanitize-html or insane.
  • A contentEditable, pasted garbage and caret placement walk into a pub
    2 projects | | 23 Jul 2021
    I would highly recommend using DOMPurify over sanitize-html. It is a lot smaller in bundle size, it is also well maintained:

    The author mentions to build their own sanitizer, which I would recommend against. Maybe for this use case (extracting a few b tags), it’d be fine, but as soon as links are involved: please stand on the shoulder of giants in order to prevent XSS.

  • Sending Contact Form Messages to Your Email Inbox
    2 projects | | 21 Feb 2021
    Since we are dealing with user input sanitizing it is a good security practice, you can set up any user input sanitizing method you are familiar with, a good start can be DOMPurify.

What are some alternatives?

When comparing Themis and DOMPurify you can also consider the following projects:

sanitize-html - Clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis. Built on htmlparser2 for speed and tolerance

js-xss - Sanitize untrusted HTML (to prevent XSS) with a configuration specified by a Whitelist

HtmlSanitizer - Cleans HTML to avoid XSS attacks


Retire.js - scanner detecting the use of JavaScript libraries with known vulnerabilities. Can also generate an SBOM of the libraries it finds.

Next.js - The React Framework

SuperTokens Community - Open source alternative to Auth0 / Firebase Auth / AWS Cognito

cryptography - cryptography is a package designed to expose cryptographic primitives and recipes to Python developers.

NeDB - The JavaScript Database, for Node.js, nw.js, electron and the browser

tweetnacl-java - TweetNaCl in Java - a port of TweetNaCl-js

Crypto++ - free C++ class library of cryptographic schemes

Thymeleaf - Thymeleaf is a modern server-side Java template engine for both web and standalone environments.