HTML Sanitizer

How to use

1. 1Pick a preset: Strict for plain inline formatting, Standard for blog content, or Permissive for rich documents with tables.
2. 2Paste your HTML on the left. The cleaned output appears on the right as you type.
3. 3Toggle options for unwrapping disallowed tags, keeping safe inline styles, allowing data: image URLs, and link rel hardening.
4. 4Read the removal stats card to see what was stripped, then expand the details for a per-tag breakdown.
5. 5Click Copy output to grab the sanitized HTML for your CMS, comment field, or email template.

About this tool

HTML Sanitizer strips dangerous markup out of an HTML snippet while keeping the structural tags you want to ship. Pick a preset that fits your use case: Strict for short messages and comments (inline formatting and line breaks only), Standard for blog-style content (headings, paragraphs, lists, links, images, code, quotes), or Permissive for trusted rich-text editors (Standard plus tables, captions, and details). Every preset always rejects script and style elements, iframes, frames, objects, embeds, base, link, meta, forms, and inline event handlers (any attribute beginning with on). URLs in href, src, action, formaction, poster, and similar attributes are parsed and only kept when they use a safe scheme (http, https, mailto, tel, sms, ftp, sftp, irc); javascript:, vbscript:, file:, and other unsafe schemes are blocked even when the scheme is obfuscated with leading control characters or whitespace. The Allow safe inline styles option keeps a curated subset of CSS declarations (color, font, spacing, borders, sizing, display) after dropping any value that contains url(), expression(), @import, or angle brackets. The Allow data: image URLs option keeps base64 image data URLs on img tags for PNG, JPG, GIF, WebP, AVIF, BMP, and ICO types (SVG is never allowed because it can carry script). For user-generated content, toggle Add nofollow to anchors, and the always-recommended Add noopener noreferrer to target="_blank" links to prevent tabnabbing. Every run reports how many tags it removed, how many it unwrapped (the inner text is kept, the tag is dropped), how many attributes it stripped, and how many URLs it blocked, with a per-tag breakdown so you can spot suspicious input. Parsing uses the platform DOMParser inside a detached document, never the live page, so script tags in your input are inert even before sanitization. Nothing is uploaded; the HTML you paste stays in this tab.

Free to use. Works in your browser. No signup, no login.