demos/advanced-config-demo.html - domPurify - Git at Google

 <!doctype html>
 <html>
     <head>
         <script src="../dist/purify.js"></script>
     </head>
     <body>
         <!-- Our DIV to receive content -->
         <div id="sanitized"></div>

         <!-- Now let's sanitize that content -->
         <script>
             // Use strict mode
             'use strict';

             // Import DOMPurify if you're using modules, otherwise assume it's globally available
             // import DOMPurify from 'dompurify'; // Uncomment if using ES6 modules

             // Specify dirty HTML
             const dirty = `
                 <p kitty-litter="yes" french-fries="no">HELLO</p>
                 <style>*{x:expression(alert(1))}</style>
                 <ying><yang><bang>123456</bang></ying></yang>
                 <iframe/\/src=JavScript:alert&lpar;1)></ifrAMe><br>goodbye</p><h1>not me!</h1>
             `;

             // Specify a configuration directive
             const config = {
                 ALLOWED_TAGS: ['p', '#text'], // only <P> and text nodes
                 KEEP_CONTENT: false, // remove content from non-allow-listed nodes too
                 ADD_ATTR: ['kitty-litter'], // permit kitty-litter attributes
                 ADD_TAGS: ['ying', 'yang'], // permit additional custom tags
                 RETURN_DOM: true // return a document object instead of a string
             };

             // Clean HTML string and write into our DIV
             const clean = DOMPurify.sanitize(dirty, config);

             // Grab innerHTML from returned clean body node
             document.getElementById('sanitized').innerHTML = clean.innerHTML;
         </script>
     </body>
 </html>
	<!doctype html>
	<html>
	<head>
	<script src="../dist/purify.js"></script>
	</head>
	<body>
	<!-- Our DIV to receive content -->
	<div id="sanitized"></div>

	<!-- Now let's sanitize that content -->
	<script>
	// Use strict mode
	'use strict';

	// Import DOMPurify if you're using modules, otherwise assume it's globally available
	// import DOMPurify from 'dompurify'; // Uncomment if using ES6 modules

	// Specify dirty HTML
	const dirty = `
	<p kitty-litter="yes" french-fries="no">HELLO</p>
	<style>*{x:expression(alert(1))}</style>
	<ying><yang><bang>123456</bang></ying></yang>
	<iframe/\/src=JavScript:alert(1)></ifrAMe><br>goodbye</p><h1>not me!</h1>
	`;

	// Specify a configuration directive
	const config = {
	ALLOWED_TAGS: ['p', '#text'], // only <P> and text nodes
	KEEP_CONTENT: false, // remove content from non-allow-listed nodes too
	ADD_ATTR: ['kitty-litter'], // permit kitty-litter attributes
	ADD_TAGS: ['ying', 'yang'], // permit additional custom tags
	RETURN_DOM: true // return a document object instead of a string
	};

	// Clean HTML string and write into our DIV
	const clean = DOMPurify.sanitize(dirty, config);

	// Grab innerHTML from returned clean body node
	document.getElementById('sanitized').innerHTML = clean.innerHTML;
	</script>
	</body>
	</html>