Tool: DOMPurify is an open source HTML, SVG, and MathML sanitizer maintained by Cure53. This entry is not a generic library card. It describes a concrete agent workflow: receive untrusted markup, sanitize it with secure defaults, and pass along only the cleaned fragment for rendering or storage.

What the agent does: it takes HTML generated by users, imported documents, WYSIWYG editors, scraped content, or another model, runs DOMPurify, and returns a safer fragment with scripts, event handlers, dangerous URLs, and other risky payloads removed according to the project’s allowed content policy. That makes it useful before showing comment previews, rendering CMS blocks, saving custom fields, or embedding rich snippets inside dashboards and knowledge bases.

When to use it: invoke this when the agent’s job is to make incoming markup render-safe before preview or publication. Do not invoke it just because a project uses DOMPurify somewhere in the stack. The bounded task is sanitization of already-produced markup at a trust boundary.

Scope boundary: this is not a page builder, template system, editor, or full web security platform. It does not author HTML, manage permissions, or validate business rules. It only sanitizes markup so unsafe content does not flow downstream.

Integration points: browser preview services, WordPress and headless CMS ingestion, moderation queues, import pipelines, email and notification rendering, and custom agent tools that accept HTML input. Upstream evidence is strong: official GitHub repo, npm package, dual-license declaration, tagged releases, large adoption, and very recent commits.