https://github.com/cure53/DOMPurify
also: interesting discussion about XSS attacks (confusing even DOMPurify at times):
https://news.ycombinator.com/item?id=24703230
DOMPurify sanitizes HTML and prevents XSS attacks. You can feed DOMPurify with string full of dirty HTML and it will return a string (unless configured otherwise) with clean HTML. DOMPurify will strip out everything that contains dangerous HTML and thereby prevent XSS attacks and other nastiness. It’s also damn bloody fast. We use the technologies the browser provides and turn them into an XSS filter. The faster your browser, the faster DOMPurify will be.
How do I use it?
It’s easy. Just include DOMPurify on your website.
Using the unminified development version
<script type="text/javascript" src="src/purify.js"></script>Read More