HTML sandbox preview · Render · sanitize · block XSS

When to use it

Previewing a UI snippet, a newsletter template, or user-submitted HTML and checking whether it still contains active scripts. A quick sanity check before pasting into production.

How it works

Paste HTML on the left and it renders on the right inside a sandboxed iframe. An empty sandbox attribute means scripts never run and form submissions are blocked.

Switch to Sanitized mode at the top to strip <script>, on* event handlers, and javascript: / risky data: URLs. The cleaned markup shows up in both the preview and the copy-ready output box. Raw mode keeps the HTML untouched, but rendering still happens inside the sandbox.

Limitations

<style> blocks are also removed — the sanitizer is tuned for email-style inline CSS rather than full stylesheets.
If you paste a full document (<html>, <head>), only the <body> contents survive — a preview wrapper supplies its own chrome.

Preview runs in a sandboxed iframe

Preview runs in a `sandbox=""` iframe. Sanitize mode strips script · on* · javascript: · dangerous data: URIs.

Frequently asked questions

Are script tags executed?

By default, the preview runs inside an `sandbox=""` iframe so scripts cannot execute. Enable 'sanitize mode' to remove '<script>' tags, on* event handlers, `javascript:` URLs, and dangerous data: URIs from the input itself.

Can I load external CSS and images?

Yes. Absolute URLs to external resources load normally inside the iframe. Some resources may still be blocked by cross-origin policy.

What dangerous patterns does sanitize mode strip?

'<script>' tags, on* event handlers (`onclick`, etc.), `javascript:` URLs, and dangerous data URIs like `data:text/html`. The number of stripped items appears below the result.