PDF Text Cleaner – Online Fix Broken Lines & Hyphens
Paste text copied from a PDF and remove unwanted line breaks, hyphenation, and extra spaces.
UD5 Toolkit
Clean dangerous tags, strip malicious attributes, and prevent cross-site scripting attacks instantly.
Waiting for input...
<script>, <iframe>, <object>, and removes event handler attributes such as onclick, onerror, and onload. It also blocks javascript: protocol URLs in links and images.
<script>, <iframe>, <object>, <embed>, <applet>, <form>, <input>, <button>, <select>, <textarea>, <link>, <base>, and <meta>.onclick, onerror, onload, onmouseover, onfocus, onblur, onchange, onsubmit, onkeydown, onkeyup, and over 100+ more on* attributes. The javascript: protocol in href and src attributes is also stripped. In strict mode, style attributes may also be removed to prevent CSS-based injection vectors.
<a> (with safe href), <img> (with safe src), <table>, <ul>, <ol>, <h1>-<h6>, <p>, <strong>, <em>, <blockquote>, <code>, <pre>, and many more. Style attributes are preserved but checked for dangerous content.style attributes, stripping class and id attributes, and only allowing the most basic formatting tags like <b>, <i>, <u>, <p>, <br>, <strong>, <em>, <ul>, <ol>, and <li>. This is ideal for comment systems or fields requiring maximum security.
DOMParser API to parse raw HTML into a structured DOM tree. It then recursively traverses every element node, checking each tag against a whitelist of safe tags and each attribute against a blacklist of dangerous patterns (event handlers, javascript: protocols). Dangerous elements are removed while preserving their text content. The sanitized DOM is then serialized back to clean HTML using innerHTML. All processing happens entirely in your browser — no data is ever sent to any server, ensuring your HTML remains private and secure.
ALLOWED_TAGS and ALLOWED_ATTR configurations give you full flexibility to define your own security policy.
Always combine client-side sanitization with server-side validation. Use Content Security Policy (CSP) headers to restrict which scripts can execute on your site. Set cookies with HttpOnly and Secure flags. Remember: never trust user input — sanitize early, sanitize often.
This is safe content.
\n\n
\nEvent handlers are dangerous.
', 'malicious-link': 'Click me - looks safe but isn\'t!\nThis is a real safe link\nHello World!
\n\n\n
\n\nEnd of profile.
' }; // ────────────────────────────────────── // Event Handlers // ────────────────────────────────────── $btnSanitize.on('click', function() { const $btn = $(this); $btn.addClass('disabled').prop('disabled', true); $btn.find('i').removeClass('fa-shield').addClass('fa-spinner fa-spin'); // Small delay for UX feedback setTimeout(() => { performSanitization(); $btn.removeClass('disabled').prop('disabled', false); $btn.find('i').removeClass('fa-spinner fa-spin').addClass('fa-shield'); }, 150); }); $btnClear.on('click', function() { $input.val(''); $outputCode.html('Waiting for input...'); $outputPreview.html('').addClass('d-none'); $outputCode.removeClass('d-none'); $viewCodeRadio.prop('checked', true); $statsRow.fadeOut(200); sanitizeStats = { originalSize: 0, cleanedSize: 0, tagsRemoved: 0, attrsStripped: 0, dangerousTagsFound: [] }; }); $btnCopy.on('click', copyOutput); $viewCodeRadio.on('change', toggleView); $viewPreviewRadio.on('change', toggleView); // Example chips $('.example-chips .chip').on('click', function() { const exampleKey = $(this).data('example'); if (examples[exampleKey]) { $input.val(examples[exampleKey]); // Auto-sanitize on example selection $btnSanitize.trigger('click'); } }); // Keyboard shortcut: Ctrl+Enter to sanitize $input.on('keydown', function(e) { if ((e.ctrlKey || e.metaKey) && e.key === 'Enter') { e.preventDefault(); $btnSanitize.trigger('click'); } }); // Mode switch auto re-sanitize $modeBalanced.on('change', function() { if ($(this).is(':checked') && $input.val().trim()) { $btnSanitize.trigger('click'); } }); $modeStrict.on('change', function() { if ($(this).is(':checked') && $input.val().trim()) { $btnSanitize.trigger('click'); } }); // ────────────────────────────────────── // Initial State // ────────────────────────────────────── $statsRow.hide(); $outputPreview.addClass('d-none'); // Load a default example for immediate demonstration const defaultExample = 'Hello World!
\n\n
';
$input.val(defaultExample);
// Auto-run sanitization on page load
setTimeout(() => {
performSanitization();
}, 100);
})();
Paste text copied from a PDF and remove unwanted line breaks, hyphenation, and extra spaces.
Paste response headers string and get a security audit. Check presence and configuration of key security headers. Local analysis.
Remove clicks, pops, and crackle from audio recordings. Useful for digitizing vinyl. Threshold‑based local processing.
Test a regular expression against malicious inputs to detect catastrophic backtracking and ReDoS vulnerabilities. Educational.
Drop a PDF and extract any embedded JavaScript or form actions. Check for malicious code. Privacy‑friendly analysis.
Test SQL injection inputs on a mock database and see the resulting query. Learn how to prevent SQLi. No real data.
Paste a potential XSS vector and see if it executes in a sandboxed iframe. For security researchers and education.
Paste CSS with vendor prefixes and get a clean version with only the standard property. Modernize your stylesheets.
Use the new Sanitizer API to safely insert raw HTML into the DOM. Blocks malicious tags. Experimental demo.
Validate a DNSSEC chain by entering DS and RRSIG records. Verify that signatures match. Educational. Local algorithm.
Paste the Permissions‑Policy header and get a human‑readable table of allowed/blocked browser features. Understand how your site is restricted.
Test if a script or style will be allowed by a given CSP. Compute hash/nonce. Strengthen your site’s defense against XSS. Local.
Check if a URL can be embedded in an iframe. Test your site’s defense against clickjacking. Browser‑based.
Fetch a site’s HSTS header and validate its syntax, max‑age, and subdomain flags. Ensure your site enforce HTTPS.
Paste a Content‑Security‑Policy header and get a human‑readable breakdown. See potential risks and suggestions.
Configure browser feature permissions (camera, microphone, geolocation) and generate the Permissions‑Policy HTTP header.
Get a random, clean, and silly joke perfect for children. Guaranteed giggles. No offensive content.
Strip specific or all attributes from HTML tags. Clean up messy code. Keep the structure. Purely local.
Convert plain text into HTML‑safe strings by escaping <, >, &, and quotes. Insert into code safely. Local copy.
Paste a sentence and remove repeated words (keep first occurrence). For cleaning auto‑generated text. Local.
Build an iframe with different sandbox flags and see live which features are blocked. For secure embedding.
Paste your CSS and strip all `!important` declarations in one click. See a list of affected rules. Local tool.
Instantly convert plain text into HTML‑safe escaped characters for secure display in web pages. Prevent cross‑site scripting. All processing local.
Paste a string and get a clean, safe file name by replacing forbidden characters. Works for Windows, Mac, Linux.
Paste email headers or body text to quickly spot phishing signs, suspicious domains, and obfuscated links. Educational and private.
Escape HTML special characters to prevent XSS attacks, or unescape HTML entities back to original text. Essential for web developers. Runs locally.
Strip leading line numbers from code snippets or poetry. Quick and accurate. Restore the original text. Entirely local processing, no data upload.
Remove all line breaks and turn multi-line text into a single continuous string. Optionally replace line breaks with spaces. Fast and secure local tool.
Evaluate the strength of your passwords with a visual meter and detailed feedback. Check for length, complexity, and breached passwords. All analysis is client-side.
Generate ultra-secure, random passwords with configurable length and character sets. Created entirely on your device; never transmitted or stored.