strip-js loads https://github.com/cheeriojs/cheerio, as a dependency, which is similar to jQuery.
between that and it's other dependency, sanitize-html, we're loading 110kb (minified size) for the xss guard.

All our xhr data comes from same origin at this point, so this seems too high a price in page weight to pay. But as security best practice we should still pass all the client side generated html through a xss guard.

https://github.com/cure53/DOMPurify comes in at 14.7 kb minified and is actively maintained, any reasons not to use that instead?

Ughh. I didn't see the dependency. DOMPurify was my first choice, but it's a little too aggressive in it's HTML validation. It stripped all the tr elements, presumably because they weren't nested in table and tbody elements in the snippets being validated. It seems to be undocumented and there was not configuration setting for it.

The Google Caja based scrubbers (sanitizer, gogle-caja) are also really large and really short on documentation for unexpected behavior I encountered.

I tried sanitize-html, but quickly discovered that every request would require a detailed whitelist of every element and attribute allowed, and then it's not clear whether those attributes that are whitelisted are being themselves scrubbed or not, though I'm sure those details could be figured out.

There is also xss which is tiny, but has very restrictive default settings, so would need customized whitelists for every request.

One last thought for now. We could use a really aggressive sanitizer and just filter inserted values instead of chunks of HTML. We could even strip out all HTML if it targeted at just the values. I played with this a little, but it gets pretty nasty in some places.

I've got a little more on this. DOMPurify internally does something like this.

var dirty = '<tr><td>5</td></tr>'
var doc = document.implementation.createHTMLDocument("New Document")
var _doc = doc, body = doc.body // Not sure why
body.outerHTML = dirty
node = document.getElementsByTagName.call(doc, 'body')[0]
// some other stuff
console.log(node.innerHTML)

This will yield 5, I guess because freestanding tr elements are not valid. Instead of allowing dompurify to create nodes, we can create the elements ourselves and tell dompurify to sanitize it in-place.

var tbody = document.createElement('tbody')
tbody.innerHTML = '<tr><td>5</td></tr>'
dompurify.sanitize(tbody, {IN_PLACE: true})
return tbody.firstChild

Which also might yield some performance benefits (see cure53/DOMPurify#190 and cure53/DOMPurify#191).

Worked out the QR code animation. Used the new --purge-n-blocks flags to further test the sync status page progress bars through completion.

Great. I'm glad that's helping. I'm prepping a PR to complete the feature by rewinding sqlite too.

Testing well, was not able to find any bugs that are not already on master.

Please also remove jquery from the externals declarations in our webpack config
https://github.com/decred/dcrdata/blob/master/webpack.common.js#L11