HTML Sanitizer
A client-side tool to remove potentially malicious code (like scripts and event handlers) from HTML to help prevent XSS attacks.
The HTML Sanitizer is a privacy-first utility for removing potentially malicious code from HTML snippets. It's designed to help prevent Cross-Site Scripting (XSS) attacks by stripping out dangerous tags and attributes. All processing is done securely in your browser.
- Input HTML: Paste the HTML content you want to clean into the input box on the left.
- Sanitize: Click the "Sanitize" button. The tool will process the HTML, removing common XSS vectors.
- Review Output: The cleaned HTML will appear on the right. You can inspect it to see what was removed.
- Copy Result: Use the copy button to get the sanitized HTML, ready to be safely rendered in your application.
HTML sanitization is the process of inspecting user-provided HTML and removing any elements or attributes that could be used for malicious purposes. The most common threat is Cross-Site Scripting (XSS), where an attacker injects a script into a webpage that then runs in the browsers of other users. This can be used to steal session cookies, deface websites, or redirect users to phishing sites.
A good sanitizer removes dangerous tags like `<script>`, `<iframe>`, and `<object>`, as well as attributes that can execute code, such as `onclick`, `onerror`, and `onmouseover`. This tool performs a basic version of this process, making the HTML safer to display.
Is this tool a complete security solution?
No. This tool provides basic, client-side sanitization that demonstrates the concept and can handle common cases. For a production application, you should always use a well-vetted, robust library like DOMPurify on the client-side or a similar library on your server. Security is complex, and a dedicated library will cover many more edge cases.
What exactly does this tool remove?
Our basic sanitizer uses regular expressions to remove `<script>` tags and their entire contents, any attributes starting with `on` (like `onclick`), and `href` attributes that use the `javascript:` protocol.
Is my data secure?
Yes. All sanitization happens directly in your browser. No HTML data is ever sent to our servers, ensuring your information remains completely private.