Base64 to HTML Decoder
Decode a Base64 string or Data URL to HTML. Sandboxed preview, copy source, and .html download.
Your input is processed locally in your browser and is not uploaded to our server.
Output
Paste Base64 on the left to see the preview…
Key Features
Sandboxed Safe Preview
Renders HTML in an iframe sandbox — pop-ups, form submissions, and parent page access are all blocked, preventing malicious script escape.
View HTML Source
The decoded HTML is displayed directly after decoding — copy it to your editor or use it for further processing.
Download .html File
Save the decoded result as a local HTML file with one click, no server required.
Multiple Input Formats
Automatically handles Data URL prefixes, Base64URL (- and _ characters), and standard Base64 — no manual cleanup needed.
Why Use iframe sandbox for Preview?
Rendering decoded HTML directly using innerHTML or document.write creates XSS risks — if the Base64 content includes malicious scripts, they execute in the current page context with access to cookies, localStorage, and the parent page DOM.
This tool renders HTML inside <iframe sandbox="allow-scripts allow-same-origin">. Even if scripts can run in the sandbox, they cannot: trigger dialog boxes (alert/confirm), cause top-level navigation, submit forms to external servers, or access the parent page JavaScript context.
iframe sandbox Attribute Reference
This tool uses sandbox="allow-scripts allow-same-origin". If you embed decoded HTML in your own project, adjust these as needed:
| Attribute | Description | Used Here |
|---|---|---|
| allow-scripts | Allow JavaScript execution | ✓ |
| allow-same-origin | Preserve same-origin policy (otherwise treated as a unique origin) | ✓ |
| allow-forms | Allow form submission | ✗ |
| allow-popups | Allow pop-ups (window.open / alert) | ✗ |
| allow-top-navigation | Allow changing the top-level window URL | ✗ |
| allow-downloads | Allow triggered file downloads | ✗ |
Related Tools
Frequently Asked Questions
Is it safe to preview untrusted Base64 HTML?
This tool previews HTML inside a sandboxed iframe (sandbox="allow-scripts allow-same-origin"). Pop-ups, top-level navigation, form submissions, and access to the parent page are all blocked. For extra caution, avoid decoding HTML from completely untrusted sources.
What input formats does this tool support?
Raw Base64, full Data URLs (data:text/html;base64,...), and Base64URL (uses - and _ instead of + and /). The tool auto-detects and normalises all three formats.
How do I encode HTML to Base64 in the first place?
Use the HTML to Base64 tool on this site. It converts any HTML string to Base64, a Data URL, an iframe embed, or a download link.
Why does the sandbox preview look different from a real browser tab?
sandbox restrictions block localStorage, cookies, alert(), and cross-origin requests. For a full rendering, use the Download button and open the file in a new tab directly.
Can I decode Base64URL-encoded HTML?
Yes. Base64URL replaces + with - and / with _. The tool detects these characters automatically and converts before decoding.
Are my files uploaded to a server?
No. Decoding runs entirely in your browser using the built-in atob() function and TextDecoder. Nothing is sent to any server.