From d2dd9d1b1c091d3b13870d27d449be6d3079634f Mon Sep 17 00:00:00 2001
From: Alexandre ZANNI <16578570+noraj@users.noreply.github.com>
Date: Sat, 6 Aug 2022 23:12:06 +0200
Subject: [PATCH] adding some JavaScript sandbox / sanitizers resources (#960)

---
 cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.md | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.md b/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.md
index 1244549992..72e3d26dd5 100644
--- a/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.md
+++ b/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.md
@@ -454,6 +454,14 @@ if (untrustedData === 'location') {
 
 Run your JavaScript in a ECMAScript 5 [canopy](https://github.com/jcoglan/canopy) or sandbox to make it harder for your JavaScript API to be compromised (Gareth Heyes and John Stevens).
 
+Examples of some JavaScript sandbox / sanitizers:
+
+- [js-xss](https://github.com/leizongmin/js-xss)
+- [sanitize-html](https://github.com/apostrophecms/sanitize-html)
+- [DOMPurify](https://github.com/cure53/DOMPurify)
+- [MDN - HTML Sanitizer API](https://developer.mozilla.org/en-US/docs/Web/API/HTML_Sanitizer_API)
+- [OWASP Summit 2011 - DOM Sandboxing](https://owasp.org/www-pdf-archive/OWASPSummit2011DOMSandboxingBrowserSecurityTrack.pdf)
+
 ### GUIDELINE \#10 - Don't eval() JSON to convert it to native JavaScript objects
 
 Don't `eval()` JSON to convert it to native JavaScript objects. Instead use `JSON.toJSON()` and `JSON.parse()` (Chris Schmidt).