What is the structure of a data URI?

Per RFC 2397 the format is data colon, an optional media type, an optional base64 marker, a comma, and then the payload. If no media type is given it defaults to text/plain with US-ASCII. The tool parses each of these parts separately.

Why is a text/html data URI flagged as high risk?

When a text/html or JavaScript data URI is opened in a navigable context such as window.open or an iframe src, the browser executes its contents in some origin. Attackers abuse this to smuggle script past filters, which is why these types are flagged as a data-URI XSS vector.

Is an image data URI safe to preview?

Raster images such as PNG, JPEG and GIF are inert and previewed inline. SVG is treated as dangerous and not previewed, because SVG is XML that can carry inline script and event handlers even though it has an image MIME type.

What obfuscation patterns does it look for?

For textual payloads it scans the decoded content for script tags, inline event handlers like onerror, nested data URIs, and unusually large base64 blobs. These are common signs that a data URI is hiding an executable payload.

Is my data URI uploaded anywhere?

No. Parsing, decoding and previewing all happen in your browser. The payload never leaves your machine, so it is safe to inspect suspicious URIs from logs or user input.

Data URI Inspector & Security Checker

Data URIs let you inline a whole resource into a single string, which is handy for small assets but is also a favourite trick for smuggling executable content past naive filters. This tool decodes a data URI, shows exactly what it contains, and flags the patterns that make a data URI dangerous.

How it works

The tool parses the URI against the RFC 2397 shape data:[<mediatype>][;base64],<data>:

It splits off the media type and the payload at the first comma, defaulting the type to text/plain;charset=US-ASCII when none is given.
It detects whether the payload is base64 or percent-encoded and decodes it, reporting both the encoded length and the decoded byte size.
Safe raster image types (PNG, JPEG, GIF, WebP) are previewed inline directly from the URI. SVG is deliberately excluded from preview because it can run script.
For textual payloads it inspects the decoded content for <script> tags, inline event handlers, nested data: URIs, and oversized base64 blobs, raising the risk level accordingly.

Example and notes

Paste data:text/html,<h1>hi</h1><script>alert(1)</script> and the tool reports a text/html type, flags it high risk as a navigable executable type, and additionally notes the embedded <script> tag in the decoded payload. Paste a small data:image/png;base64,... and it previews the image inline and reports low risk.

Use this when reviewing CSP policies (data URIs interact with img-src, script-src and frame-src) and when checking that input sanitisation strips or neutralises hostile data URIs. Everything runs locally, so suspicious input never leaves your browser.