Next.js TypeError: DOMPurify.sanitize() is Not a Function - Fix & Troubleshooting Guide
In modern web development, security is paramount, especially when handling user-generated content or dynamic HTML. DOMPurify is a popular library designed to sanitize HTML and prevent cross-site scripting (XSS) attacks by removing malicious code. It’s widely used in Next.js applications to ensure rendered content is safe for the browser.
However, developers often encounter a frustrating error: TypeError: DOMPurify.sanitize() is not a function. This error occurs when JavaScript cannot locate the sanitize method on the DOMPurify object, halting your application.
In this guide, we’ll demystify this error, explore its root causes, and provide step-by-step solutions to fix it. Whether you’re new to Next.js or a seasoned developer, this article will help you resolve the issue and prevent it from recurring.
Table of Contents#
- Understanding the Error
- Common Causes of the Error
- Step-by-Step Fixes
- Advanced Troubleshooting
- Prevention Tips to Avoid Future Errors
- Conclusion
- References
1. Understanding the Error#
The error TypeError: DOMPurify.sanitize() is not a function occurs when the JavaScript engine tries to call the sanitize method on the DOMPurify object but cannot find it. This typically means:
DOMPurifyis not imported correctly.- The library is not installed in your project.
- The code is running in an environment where
DOMPurify(or its dependencies) is unavailable (e.g., server-side rendering in Next.js). - There’s a version mismatch or a typo in your code.
Example Error Stack Trace#
TypeError: DOMPurify.sanitize is not a function
at HomePage (./pages/index.js:15:20)
at renderWithHooks (./node_modules/react-dom/cjs/react-dom-server.browser.development.js:5658:16)
...
2. Common Causes of the Error#
Before diving into fixes, let’s identify the most likely culprits:
| Cause | Description |
|---|---|
| Missing Installation | DOMPurify is not installed in your node_modules folder. |
| Incorrect Import | Using a named import (e.g., import { sanitize } from 'dompurify') instead of the default export. |
| Server-Side Rendering (SSR) Conflicts | Next.js runs code on the server during build/request, but DOMPurify relies on browser APIs (e.g., window), making it unavailable server-side. |
| Outdated Version | Using an older version of DOMPurify where the sanitize method was renamed or deprecated. |
| Typos | Misspelling sanitize (e.g., sanitise, sanitazie) or DOMPurify. |
3. Step-by-Step Fixes#
Let’s resolve the error with targeted solutions, starting with the most common causes.
Fix 1: Verify DOMPurify Installation#
The first check is ensuring DOMPurify is installed in your project.
How to Fix:#
-
Check
package.json: Look fordompurifyin thedependenciesordevDependenciessection. If missing, install it.// package.json (example) "dependencies": { "dompurify": "^3.0.6", // Should appear here "next": "14.0.3", "react": "18.2.0" } -
Install DOMPurify (if missing):
# Using npm npm install dompurify # Using yarn yarn add dompurify # Using pnpm pnpm add dompurify -
Reinstall if corrupted: If
dompurifyexists inpackage.jsonbut the error persists, deletenode_modulesandpackage-lock.json/yarn.lock, then reinstall:rm -rf node_modules package-lock.json npm install
Fix 2: Correct Import Statements#
DOMPurify uses a default export, not named exports. Importing it incorrectly is a frequent source of the sanitize is not a function error.
Common Mistake:#
// ❌ Incorrect: Using named import
import { sanitize } from 'dompurify';
// ❌ Incorrect: Trying to destructure from a default import
import DOMPurify from 'dompurify';
const { sanitize } = DOMPurify; // Fails if DOMPurify is not loaded Correct Import:#
// ✅ Correct: Import the default export
import DOMPurify from 'dompurify';
// Usage
const sanitizedHTML = DOMPurify.sanitize('<script>malicious code</script>'); Fix 3: Handle Server-Side Rendering (SSR) Limitations#
Next.js renders pages server-side (SSR) or at build time (SSG/ISR) by default. DOMPurify depends on browser-specific APIs like window and document, which are unavailable in Node.js (the server environment). This causes DOMPurify to load incorrectly or return undefined server-side, leading to the error.
Solutions for SSR/SSG:#
Option 1: Use dynamic Import with ssr: false#
Next.js’s dynamic import lets you load components/client-side libraries only in the browser, bypassing server-side execution.
// pages/index.js
import dynamic from 'next/dynamic';
// Dynamically import DOMPurify with SSR disabled
const DOMPurify = dynamic(() => import('dompurify'), {
ssr: false, // Load only on the client
loading: () => <p>Loading...</p>, // Optional loading state
});
export default function HomePage({ userContent }) {
// Sanitize only after DOMPurify loads (client-side)
const sanitizedContent = DOMPurify.sanitize(userContent);
return <div dangerouslySetInnerHTML={{ __html: sanitizedContent }} />;
} Option 2: Check for window Availability#
Wrap DOMPurify usage in a check for the window object (available only in browsers) to avoid server-side execution.
// pages/index.js
import DOMPurify from 'dompurify';
export default function HomePage({ userContent }) {
// Only run sanitization on the client
if (typeof window !== 'undefined') {
const sanitizedContent = DOMPurify.sanitize(userContent);
return <div dangerouslySetInnerHTML={{ __html: sanitizedContent }} />;
}
// Return fallback for server-side (empty or loading state)
return <div>Loading content...</div>;
} Option 3: Use useEffect for Client-Side Execution#
For React components, useEffect runs after the component mounts (client-side), ensuring window is available.
// components/SanitizedContent.js
import { useEffect, useState } from 'react';
import DOMPurify from 'dompurify';
export default function SanitizedContent({ html }) {
const [sanitizedHTML, setSanitizedHTML] = useState('');
useEffect(() => {
// Run only on the client (useEffect doesn't run server-side)
setSanitizedHTML(DOMPurify.sanitize(html));
}, [html]);
return <div dangerouslySetInnerHTML={{ __html: sanitizedHTML }} />;
} Fix 4: Resolve Version Conflicts#
Older versions of DOMPurify may have breaking changes. For example, versions prior to 2.0.0 had different method names or behavior.
Check Your DOMPurify Version:#
npm list dompurify
# or
yarn list dompurify Update to the Latest Version:#
# npm
npm update dompurify
# yarn
yarn upgrade dompurify
# pnpm
pnpm update dompurify Note: Always check the DOMPurify release notes when updating to avoid unexpected changes.
Fix 5: Check for Typos or Misnaming#
A simple typo can cause the error. Double-check:
- The method name:
sanitize(notsanitise,sanitaze, orpurify). - The library name:
DOMPurify(case-sensitive; notdompurifyorDomPurifyin variable names).
// ❌ Typo example
const sanitized = DOMPurify.sanitise(userInput); // "sanitise" (British spelling)
// ✅ Correct
const sanitized = DOMPurify.sanitize(userInput); 4. Advanced Troubleshooting#
If the above fixes don’t resolve the error, try these advanced steps:
Check Imported Object Structure#
Log DOMPurify to the console to verify its structure. If it’s undefined or an empty object, the import/loading process is failing.
import DOMPurify from 'dompurify';
console.log('DOMPurify:', DOMPurify); // Check browser console (F12) Expected Output (client-side):
DOMPurify: { sanitize: ƒ, addHook: ƒ, ... }
If DOMPurify is undefined, revisit Fix 3 (SSR issues) or Fix 1 (installation).
Verify Browser Environment#
If using DOMPurify in a non-component file (e.g., lib/utils.js), ensure it’s only called client-side. Use a guard clause to check for window:
// lib/sanitize.js
import DOMPurify from 'dompurify';
export function sanitizeHTML(html) {
if (typeof window === 'undefined') {
return ''; // Return empty or fallback for server-side
}
return DOMPurify.sanitize(html);
} Check for Tree Shaking or Bundler Conflicts#
Rarely, Next.js’s Webpack bundler may tree-shake DOMPurify (remove unused code) if it’s not imported correctly. Ensure the import is not wrapped in unused conditionals or dynamic logic that Webpack misinterprets.
Use a CDN as a Fallback#
As a last resort, load DOMPurify via a CDN in _document.js to ensure it’s available globally:
// pages/_document.js
import Document, { Html, Head, Main, NextScript } from 'next/document';
export default class MyDocument extends Document {
render() {
return (
<Html>
<Head>
{/* Load DOMPurify from CDN */}
<script src="https://cdnjs.cloudflare.com/ajax/libs/dompurify/3.0.6/purify.min.js"></script>
</Head>
<body>
<Main />
<NextScript />
</body>
</Html>
);
}
}
// Usage in components (access via window.DOMPurify)
const sanitized = window.DOMPurify.sanitize(html); 5. Prevention Tips to Avoid Future Errors#
- Pin DOMPurify Version: Use a specific version in
package.json(e.g.,dompurify: "3.0.6") instead of^to avoid accidental updates with breaking changes. - Add Type Safety (TypeScript): Install
@types/dompurifyfor auto-complete and type checks:npm install -D @types/dompurify - Test SSR/Client-Side Behavior: Use
next devandnext build && next startto test both development and production modes (SSR issues often surface in production). - Lint Imports: Use ESLint with
eslint-plugin-importto flag incorrect import statements. - Document Sanitization Logic: Add comments in utility functions (e.g.,
// DOMPurify: Loaded client-side only) to remind teammates of SSR limitations.
6. Conclusion#
The TypeError: DOMPurify.sanitize() is not a function error in Next.js is almost always caused by one of four issues: missing installation, incorrect imports, server-side rendering conflicts, or typos. By following the step-by-step fixes in this guide—starting with verifying installation and imports, then addressing SSR limitations—you can resolve the error and ensure your application safely sanitizes HTML.
Remember: DOMPurify is a client-side library, so always guard its usage against server-side execution in Next.js. With proper setup, you’ll keep your app secure and error-free.