CSS 3D Transform Sandbox – Online Rotate Translate Preview
Adjust rotateX/Y/Z and translate to see a 3D box in real time. Copy optimized CSS transform.
UD5 Toolkit
Online Test Escape Characters — Encode, transform, and analyze XSS payloads across multiple encoding schemes. Instantly see how payloads behave under different escaping contexts.
< becomes <, > becomes >, & becomes &, and quotes become " or '. This encoding is essential when inserting user-controlled data into HTML body content, as it prevents the browser from interpreting injected HTML tags. It's the most fundamental XSS defense when outputting to HTML contexts.
% followed by two hexadecimal digits. For example, < becomes %3C. Double URL Encoding applies URL encoding twice — so < first becomes %3C, then the % itself gets encoded to %25, resulting in %253C. Double encoding is a well-known bypass technique: if a WAF or filter decodes input only once and then passes it to the application which decodes again, the payload can slip through.
\uXXXX format) is primarily used in JavaScript string literals to represent characters by their Unicode code points. For example, < becomes \u003C. JavaScript Escape uses hex escape sequences (\xXX) for characters in the 0-255 range and also handles special characters like newlines (\n), tabs (\t), backslashes (\\), and quotes (\', \"). Use Unicode escapes when you need full Unicode support; use standard JS escaping for inserting data into JavaScript string contexts.
< > &. HTML Attributes additionally require quoting of attribute delimiters (" or '). JavaScript strings need backslash escaping for quotes, backslashes, and line terminators. URL parameters require percent-encoding. CSS needs CSS-specific escaping. A common mistake is using HTML entity encoding for JavaScript contexts — entities aren't interpreted inside <script> blocks, leaving the application vulnerable.
\x followed by its two-digit hexadecimal code. For example, alert becomes \x61\x6c\x65\x72\x74. This encoding is commonly used in JavaScript contexts to obfuscate payloads and bypass signature-based filters. Combined with eval() or Function() constructors, hex-encoded strings can execute arbitrary JavaScript. Many WAFs look for plaintext alert or script patterns, making hex encoding an effective evasion technique.
data: URIs or when combined with JavaScript atob() decoding. For example, eval(atob('YWxlcnQoMSk=')) executes alert(1). However, Base64 alone doesn't bypass HTML context restrictions since the browser doesn't automatically decode Base64 in HTML. It's most effective when the application has a decoding mechanism or when used in combination with other techniques like the data:text/html;base64,... URI scheme.
HttpOnly flag on cookies. 6) Apply the principle of least privilege — never inject user data into dangerous contexts like eval() or innerHTML.
Adjust rotateX/Y/Z and translate to see a 3D box in real time. Copy optimized CSS transform.
Paste response headers string and get a security audit. Check presence and configuration of key security headers. Local analysis.
Calculate the entropy (in bits) of a password based on character pool size and length. Visual strength meter with crack time estimation. Local only.
Experiment with JavaScript Intl.DateTimeFormat options. Choose locale, dateStyle, timeStyle, hour12 and see live output. Copy the code snippet for your project.
Generate a temporary webhook URL (mock) and view the JSON payloads sent to it. Great for testing integrations locally.
Test a regular expression against malicious inputs to detect catastrophic backtracking and ReDoS vulnerabilities. Educational.
Drop a PDF and extract any embedded JavaScript or form actions. Check for malicious code. Privacy‑friendly analysis.
Test SQL injection inputs on a mock database and see the resulting query. Learn how to prevent SQLi. No real data.
Use the new Sanitizer API to safely insert raw HTML into the DOM. Blocks malicious tags. Experimental demo.
Validate a DNSSEC chain by entering DS and RRSIG records. Verify that signatures match. Educational. Local algorithm.
Paste the Permissions‑Policy header and get a human‑readable table of allowed/blocked browser features. Understand how your site is restricted.
Test if a script or style will be allowed by a given CSP. Compute hash/nonce. Strengthen your site’s defense against XSS. Local.
Write to shared storage and run a worklet to process data. Learn the privacy‑preserving alternative to third‑party cookies.
Create a passkey and authenticate using the Web Authentication API. Supports platform authenticators (TouchID, FaceID). No server.
Check if a URL can be embedded in an iframe. Test your site’s defense against clickjacking. Browser‑based.
Fetch a site’s HSTS header and validate its syntax, max‑age, and subdomain flags. Ensure your site enforce HTTPS.
Paste a Content‑Security‑Policy header and get a human‑readable breakdown. See potential risks and suggestions.
Configure browser feature permissions (camera, microphone, geolocation) and generate the Permissions‑Policy HTTP header.
Convert plain text into HTML‑safe strings by escaping <, >, &, and quotes. Insert into code safely. Local copy.
Write JavaScript code and see the output or console.log results immediately. Safe iframe sandbox. For quick experiments.
Type raw HTML and see the escaped version, then see how it renders when unescaped. Understand encoding better.
Build an iframe with different sandbox flags and see live which features are blocked. For secure embedding.
Instantly convert plain text into HTML‑safe escaped characters for secure display in web pages. Prevent cross‑site scripting. All processing local.
Paste any JavaScript expression and see its evaluated type and value. Understand JS coercion and type quirks. Educational.
Strip dangerous HTML tags and attributes (scripts, onclick) to prevent XSS attacks. Safe iframe preview. Local sanitation engine.
Paste email headers or body text to quickly spot phishing signs, suspicious domains, and obfuscated links. Educational and private.
Escape HTML special characters to prevent XSS attacks, or unescape HTML entities back to original text. Essential for web developers. Runs locally.
Evaluate the strength of your passwords with a visual meter and detailed feedback. Check for length, complexity, and breached passwords. All analysis is client-side.
Write or paste HTML, CSS, and JavaScript and instantly see the rendered output in a sandboxed iframe. A handy frontend prototyping tool.
Generate ultra-secure, random passwords with configurable length and character sets. Created entirely on your device; never transmitted or stored.