UD5 Toolkit
Phishing Email Checker - Online Suspicious Link Analyzer
Paste email headers or body text to quickly spot phishing signs, suspicious domains, and obfuscated links. Educational and private.
HTML Sanitizer - Online Clean Dangerous Tags & XSS Prevention
β Copied to clipboard!
HTML Sanitizer & XSS Prevention
Clean dangerous tags, strip malicious attributes, and prevent cross-site scripting attacks instantly.
Client-Side Safe
Input HTML
Paste your code here
Quick Examples:
XSS Script
Event Handlers
Malicious Link
Mixed Content
Sanitized Output
Waiting for input...
Your data never leaves your browser
Frequently Asked Questions
HTML sanitization is the process of cleaning HTML code by removing or neutralizing potentially dangerous elements. It's essential for preventing Cross-Site Scripting (XSS) attacks, which occur when malicious scripts are injected into web pages viewed by other users. Without sanitization, attackers can steal cookies, hijack sessions, redirect users to phishing sites, or deface websites. A robust sanitizer strips tags like
<script>, <iframe>, <object>, and removes event handler attributes such as onclick, onerror, and onload. It also blocks javascript: protocol URLs in links and images.
High-risk tags that are typically removed include:
Dangerous attributes include all event handlers:
<script>, <iframe>, <object>, <embed>, <applet>, <form>, <input>, <button>, <select>, <textarea>, <link>, <base>, and <meta>.Dangerous attributes include all event handlers:
onclick, onerror, onload, onmouseover, onfocus, onblur, onchange, onsubmit, onkeydown, onkeyup, and over 100+ more on* attributes. The javascript: protocol in href and src attributes is also stripped. In strict mode, style attributes may also be removed to prevent CSS-based injection vectors.
Balanced Mode (recommended for most use cases) removes all dangerous tags and event handlers while preserving safe, semantic HTML tags like
Strict Mode goes further by removing all
<a> (with safe href), <img> (with safe src), <table>, <ul>, <ol>, <h1>-<h6>, <p>, <strong>, <em>, <blockquote>, <code>, <pre>, and many more. Style attributes are preserved but checked for dangerous content.Strict Mode goes further by removing all
style attributes, stripping class and id attributes, and only allowing the most basic formatting tags like <b>, <i>, <u>, <p>, <br>, <strong>, <em>, <ul>, <ol>, and <li>. This is ideal for comment systems or fields requiring maximum security.
Client-side sanitization is an excellent first line of defense, but it should never be your only protection. A security best practice called "defense in depth" recommends sanitizing both on the client side (for immediate user feedback and to protect against DOM-based XSS) and on the server side (to protect against attackers who bypass client-side validation). Server-side libraries like DOMPurify (Node.js), OWASP AntiSamy (Java), or Bleach (Python) provide robust, battle-tested sanitization. Always sanitize data before storing it in a database and before rendering it in a browser.
This tool uses the browser's built-in
DOMParser API to parse raw HTML into a structured DOM tree. It then recursively traverses every element node, checking each tag against a whitelist of safe tags and each attribute against a blacklist of dangerous patterns (event handlers, javascript: protocols). Dangerous elements are removed while preserving their text content. The sanitized DOM is then serialized back to clean HTML using innerHTML. All processing happens entirely in your browser β no data is ever sent to any server, ensuring your HTML remains private and secure.
Common XSS vectors include:
β’ Stored XSS: Malicious scripts are permanently stored on the target server (e.g., in a comment field or user profile) and served to other users.
β’ Reflected XSS: Malicious scripts are reflected off a web server via search results, error messages, or URL parameters.
β’ DOM-based XSS: The attack payload is executed by modifying the DOM environment in the victim's browser.
β’ Mutation XSS (mXSS): Exploits differences between how browsers parse HTML and how sanitizers process it.
Attackers often use obfuscation techniques like HTML entity encoding, mixed case tags, null bytes, or nested elements to bypass naive filters. This tool handles these edge cases by parsing the HTML properly before sanitization.
β’ Stored XSS: Malicious scripts are permanently stored on the target server (e.g., in a comment field or user profile) and served to other users.
β’ Reflected XSS: Malicious scripts are reflected off a web server via search results, error messages, or URL parameters.
β’ DOM-based XSS: The attack payload is executed by modifying the DOM environment in the victim's browser.
β’ Mutation XSS (mXSS): Exploits differences between how browsers parse HTML and how sanitizers process it.
Attackers often use obfuscation techniques like HTML entity encoding, mixed case tags, null bytes, or nested elements to bypass naive filters. This tool handles these edge cases by parsing the HTML properly before sanitization.
This tool provides two pre-configured sanitization profiles (Balanced and Strict) that cover the vast majority of use cases. For advanced users who need custom tag whitelists, consider using libraries like DOMPurify which offer extensive configuration options. You can specify allowed tags, allowed attributes, and even custom hooks for fine-grained control. If you're implementing sanitization in your own application, DOMPurify's
ALLOWED_TAGS and ALLOWED_ATTR configurations give you full flexibility to define your own security policy.
Security Best Practice
Always combine client-side sanitization with server-side validation. Use Content Security Policy (CSP) headers to restrict which scripts can execute on your site. Set cookies with HttpOnly and Secure flags. Remember: never trust user input β sanitize early, sanitize often.
This is safe content.
\n\nWelcome to our site!
',
'event-handlers': '\n Hover or click me - but the handlers will be removed!\n
\n
\nEvent handlers are dangerous.
', 'malicious-link': 'Click me - looks safe but isn\'t!\nThis is a real safe link\nUser Profile
\nHello World!
\n\n\n
\n\nEnd of profile.
' }; // ββββββββββββββββββββββββββββββββββββββ // Event Handlers // ββββββββββββββββββββββββββββββββββββββ $btnSanitize.on('click', function() { const $btn = $(this); $btn.addClass('disabled').prop('disabled', true); $btn.find('i').removeClass('fa-shield').addClass('fa-spinner fa-spin'); // Small delay for UX feedback setTimeout(() => { performSanitization(); $btn.removeClass('disabled').prop('disabled', false); $btn.find('i').removeClass('fa-spinner fa-spin').addClass('fa-shield'); }, 150); }); $btnClear.on('click', function() { $input.val(''); $outputCode.html('Waiting for input...'); $outputPreview.html('').addClass('d-none'); $outputCode.removeClass('d-none'); $viewCodeRadio.prop('checked', true); $statsRow.fadeOut(200); sanitizeStats = { originalSize: 0, cleanedSize: 0, tagsRemoved: 0, attrsStripped: 0, dangerousTagsFound: [] }; }); $btnCopy.on('click', copyOutput); $viewCodeRadio.on('change', toggleView); $viewPreviewRadio.on('change', toggleView); // Example chips $('.example-chips .chip').on('click', function() { const exampleKey = $(this).data('example'); if (examples[exampleKey]) { $input.val(examples[exampleKey]); // Auto-sanitize on example selection $btnSanitize.trigger('click'); } }); // Keyboard shortcut: Ctrl+Enter to sanitize $input.on('keydown', function(e) { if ((e.ctrlKey || e.metaKey) && e.key === 'Enter') { e.preventDefault(); $btnSanitize.trigger('click'); } }); // Mode switch auto re-sanitize $modeBalanced.on('change', function() { if ($(this).is(':checked') && $input.val().trim()) { $btnSanitize.trigger('click'); } }); $modeStrict.on('change', function() { if ($(this).is(':checked') && $input.val().trim()) { $btnSanitize.trigger('click'); } }); // ββββββββββββββββββββββββββββββββββββββ // Initial State // ββββββββββββββββββββββββββββββββββββββ $statsRow.hide(); $outputPreview.addClass('d-none'); // Load a default example for immediate demonstration const defaultExample = 'Hello World!
\n\n\n Click me - the onclick will be stripped!\n
\nDangerous link\nSafe link\n';
$input.val(defaultExample);
// Auto-run sanitization on page load
setTimeout(() => {
performSanitization();
}, 100);
})();
ZeroβWidth Character Detector - Online Find Hidden Unicode
Paste text and instantly see if it contains hidden zeroβwidth characters often used in steganography. Reveal invisible payloads.
<abbr> Tag Generator - Online HTML Abbreviation Builder
Type an abbreviation and its full form to get the proper `<abbr title='...'>` HTML. For accessible markup.
PartsβofβSpeech Tagger - Online Text Analyzer
Paste a sentence and see each word tagged with its part of speech (noun, verb, adjective). Local ruleβbased analysis.
Slug Transliteration Tester - Online Latinize & Clean URLs
Test how nonβLatin characters (Chinese, Cyrillic, Arabic) convert to URLβsafe slugs with proper transliteration rules. Preview the final string.
Cursive Typing Practice β Online Fun Script Keyboard Input
Type a passage and see it appear in a realistic cursive font. Helps connect handwriting to digital text.
HTTP Status Codes Reference - Online Quick Cheat Sheet
A complete reference of HTTP status codes with explanations. Search and filter by code or category. Useful for API developers and web debugging. Static and fast.
Mutation Observer Tester - Online DOM Change Watcher
Modify the DOM via buttons and see MutationRecords logged. Understand childList, attributes, and subtree options.
HTTP Headers Reference - Online Search & Descriptions
Browse a searchable list of standard HTTP request and response headers with explanations. Quick dev help.
HTTP Status Code Reference - Online Search & Meanings
Look up any HTTP status code and see its meaning, RFC reference, and example. Full offline reference.
Tick Removal Procedure Guide β Online Safe Extraction Steps
Animated tweezers technique for proper tick removal. What to do after. Prevention of Lyme disease.
SSML Marker Demo - Online TTS Events & Highlights
Use SSML <mark> tags to fire events during TTS. See text highlighted as it is spoken. Understand speech synthesis timing. local.
Hreflang Tag Generator - Online International SEO
Build hreflang tags for multiβlanguage websites. Select languages and URLs and get the complete <link> snippet.
CORS Header Debugger - Online Check CrossβOrigin Access
Enter a URL and see its CORS headers. Understand why a fetch fails. Check preflight responses. Clientβside debugger.
Random Developer Excuse Generator - Online for Standβup
Need a reason why you are late or the build failed? Get a hilarious, techβthemed excuse. Pure fun for dev teams.
D&D Magic Item Price Calculator β Online by Rarity & Edition
Select item rarity and consumable state to get a price range based on Dungeon Master's Guide tables. Quick reference.
Rune Translator - Online English to Elder Futhark
Transliterate English letters into Elder Futhark runes. Fun for tattoos and fantasy. Oneβtoβone mapping.
Emergency Kit Checklist - Online Disaster Preparedness Planner
Interactive checklist to build an emergency go-bag. Covers water, food, first aid, tools, documents. Track progress locally. Essential for disaster preparedness.
SQL Indenter - Online Just Prettify Your Queries
Format your SQL code with consistent indentation. Choose 2 or 4 spaces. No syntax validation, just neat output.
Fish Quarantine Countdown β Online New Arrival Observation
Set a date when a new fish arrives and get a daily checklist for observation. Countdown to safe introduction.
Water Intake Tracker - Online Daily Hydration Logger
Log your daily water consumption with one click. Set a goal and track progress. Data stored locally for privacy. Simple and clean interface.
UV Index Reference - Online Exposure Category & Protection
See the current UV index forecast or enter a value to learn protection needed (SPF, hat, shade). Educational.
Online Voice Recorder & Downloader - Mic to WAV
Record audio from your microphone and save as WAV file. Visual waveform while recording. Simple and privacy-friendly; audio stays in your browser.
Audio Silence Remover - Online Strip Quiet Parts
Remove silent parts from an audio recording. Useful for podcasts and lectures. Set threshold and minimum silence duration.
Voltage Divider Calculator - Online Electronics Resistor Tool
Calculate the output voltage and resistor values for a voltage divider circuit. Includes schematic. Handy for electronics hobbyists and engineers.
Crossword Solver - Online Find Words by Pattern ?a?e
Enter word pattern with ? for unknown letters and known letters to find matching dictionary words. Essential crossword help. Local dictionary.
Online Audio Trimmer & Splitter - Cut MP3/WAV Locally
Trim audio files or split into multiple segments using visual waveform. Set start/end markers precisely. Download segments or merged track. Purely browser-based.
Audio Trimmer - Online Cut MP3 WAV Locally
Select a part of an audio file and trim it to the selection. Playback preview. Download the cropped audio. No upload.
Treasure Hunt Clue Maker β Online Create Rhyming Clues
Enter hiding places and get a set of rhyming clues to print. Fun for kids' parties.
Ohm's Law Calculator - Online Voltage Current Resistance Power
Enter any two values (voltage, current, resistance, power) and compute the others. Visual triangle helper and formula display. Instant local calculation.