Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Massive bundle size #198

Closed
jamesfiltness opened this issue Jan 19, 2018 · 4 comments

Comments

@jamesfiltness
Copy link

commented Jan 19, 2018

I wondered why my bundle size was so huuuge. If I include sanitize-html in to my dependency tree my bundle size grows by almost 900k. The reason for this is because PostCss and readable-stream are dependencies.

This module is basically unusable because of this - PostCss alone is 504k in size.

@boutell

This comment has been minimized.

Copy link
Contributor

commented Jan 19, 2018

postcss is there so we can support CSS validation; browser side use is a marginal case for this module which was always intended as a server side solution (you can't trust browsers anyway so why would you sanitize in them, etc).

I'm aware of a few legit use cases, of which the best is probably that you want to preview what the sanitization will do for the user without hitting a server API.

So I'm trying to think how this could have worked out any differently... I guess we could have made the CSS validation an optional module rather than baking it in. However, we did bake it in, so it would be a bc break to remove it in the 1.x series.

We could do it in 2.x... which needs to come into existence soon anyway because htmlparser2 is an abandoned project and we really need to use parse5.

@jamesfiltness

This comment has been minimized.

Copy link
Author

commented Jan 19, 2018

Our use case is where we've been passed HTML from an API and need to display that in a React application. This requires the use of the dangerouslySetInnerHTML property which outputs any string passed to it using innerHTML. We were using sanitize-html to mitigate XSS.

I hadn't noticed that your README points out that it's intended for use in Node. If it weren't for the size it could be useful for the client as well. I've since found DOMPurify which seems to be a suitable alternative!

@boutell

This comment has been minimized.

Copy link
Contributor

commented Jan 19, 2018

DOMPurify does sound like a better solution for browser side use.

@boutell boutell closed this Jan 19, 2018

@nathanchase

This comment has been minimized.

Copy link

commented Sep 6, 2018

I'm using Nuxt.js which pulls data from an API both server-side AND client-side, and would love to use sanitize-html without postcss being included as a dependency. The multiple lodash dependencies bloat this package, too, since I already use lodash.

Whatever you can do to bring this down to a zero-dependency package would be most beneficial!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.