What tags are removed by default?

script, iframe, object, embed, form, input, button, link (with rel=stylesheet), meta, base, and any tag with an on* event attribute.

Does this sanitizer run in my browser?

Yes, all processing happens client-side using the browser's own DOM parser — your HTML is never sent to a server.

Can I allow specific tags that are blocked by default?

Yes. Use the 'Allow tags' field to whitelist comma-separated tag names you want to keep even if they would normally be removed.

What is 'Strip all tags' mode?

It extracts plain text from the HTML, removing every single tag and leaving only the visible content.

Security 免费无需注册

HTML Sanitizer

Clean HTML and remove XSS / dangerous code

正在加载工具…

关于此工具

Paste HTML containing potentially dangerous tags or attributes and get a safe, sanitized version back instantly. The sanitizer strips <script>, <iframe>, <object>, and <embed> tags, removes all on* event handlers, rewrites javascript: URLs, and highlights exactly what was removed so you can see every change. Advanced options let you allow or block specific tags and choose between full sanitization or 'text only' mode that strips all markup.

使用方法

1 Paste your HTML into the input area on the left.
2 The sanitized output appears on the right in real time.
3 Removed or modified nodes are highlighted in red in the diff view.
4 Use 'Allow tags' or 'Block tags' to tune the rules.
5 Toggle 'Strip all tags' to extract plain text only.
6 Click 'Copy Output' to copy the sanitized HTML.

关于此工具

使用方法

常见问题