Built-in safeguards
- No server endpoints accept tool input
- No user-supplied JavaScript is executed
- Untrusted text is written into textarea values, never injected as HTML
- Download names are fixed by the tool instead of derived from pasted text
- Regular expressions are length-limited and checked for common nested repetition risks
- Large processing jobs move to a Web Worker so the main interface remains responsive
Be careful with secrets
Even though PasteTidy processes content locally, avoid pasting passwords, private keys, production access tokens, recovery codes, or highly sensitive personal data into any website. Browser extensions, compromised devices, screen sharing, and local malware are outside this application’s control.
Regular-expression limits
Regular-expression mode is intended for short, understandable patterns. PasteTidy rejects patterns that show common signs of catastrophic backtracking and caps regex input size, but no heuristic can prove that every expression is inexpensive.
Hosting and transport
The production site uses HTTPS, a restrictive Content Security Policy, clickjacking protection, MIME sniffing protection, a privacy-preserving referrer policy, and a limited browser permissions policy. Because the application is static, it does not require database credentials, API keys, or server-side secrets.