How to archive filename sanitiser online for free
- Step 1Open the Filename Sanitiser — Go to the Filename Sanitiser. There are no settings to configure — the tool has a single fixed rule set, so the page is just a drop zone and a run button.
- Step 2Drop one archive — Drag a single ZIP, TAR, GZIP, 7z, RAR, bzip2 or xz file onto the page, or click to browse. It accepts one file at a time (no folder or batch input). The format is detected from the file's magic bytes, not its extension.
- Step 3Let it read and rewrite names — The tool extracts the entry list in your browser. ZIP/GZIP/TAR are read with
fflate; 7z, RAR, bzip2 and xz are read through a libarchive WASM module. Each entry name is passed through the fixed sanitiser: backslashes to slashes,..runs to_, NUL bytes removed, forbidden characters to_, reserved names prefixed. - Step 4Read the rename count — The result panel shows
Renames(how many entry names actually changed) andEntries(total entries in the output). IfRenamesis 0, the archive was already safe and the output is just a re-zip of the same names. - Step 5Download the sanitised ZIP — The output is always a plain (unencrypted) ZIP named
<original-stem>-sanitized.zip, compressed at level 6 withfflate, regardless of what format you fed in. - Step 6Extract the clean ZIP — Unzip the downloaded file with any tool. Because every name is now relative and free of traversal sequences, it cannot write outside your chosen folder. Verify file contents are intact — they are byte-identical to the originals.
Exactly what the sanitiser changes
The fixed transform applied to every entry name, in the order the code runs it (lib/archive/archive-processor.ts). There are no options to toggle any of these on or off.
| Rule | Pattern matched | Replacement | Why |
|---|---|---|---|
| Backslash to slash | \ | / | Normalise Windows-style separators so path logic is consistent |
| Collapse dot-runs | two or more dots in a row (.., ...) | single _ | Defeats ../ and ..\ path traversal (Zip Slip) |
| Strip NUL bytes | \0 (0x00) | deleted | Some payloads inject NUL to truncate path checks |
| Forbidden characters | < > : " | ? * and 0x00–0x1F controls | each becomes _ | These are illegal in NTFS / Win32 filenames |
| Reserved device names | stem equals CON, PRN, AUX, NUL, COM1–COM4, LPT1–LPT2 | prefix _ | Windows reserves these regardless of extension |
| Leading / repeated slashes | ^/+ and /{2,} | stripped / collapsed to one / | Keep every entry relative and well-formed |
| Empty result | name reduces to nothing | _ | Guarantees every entry has a valid name |
What stays exactly the same
Things the sanitiser deliberately does not touch.
| Aspect | Behaviour |
|---|---|
| File contents | Byte-for-byte identical — only names are rewritten |
| Single dot in a name | my.file.txt is left alone; only runs of 2+ dots collapse |
| Forward slash separators | Preserved as directory structure (a/b/c.txt stays nested) |
| Output format | Always a plain ZIP, even if you fed in a 7z or RAR |
| Encryption | Output is never encrypted; an encrypted input ZIP cannot be read (no password is accepted) |
Cookbook
Real entry names before and after the fixed sanitiser. Each line shows the original on the left and the rewritten name on the right.
Classic Zip Slip traversal
The textbook attack: an entry that climbs out of the extraction directory. Each .. run collapses to _, and the leading separators are stripped, so the entry is forced to stay relative.
Input archive entries: ../../etc/passwd ..\..\Windows\System32\x.dll docs/readme.txt Sanitised output: _/_/etc/passwd _/_/Windows/System32/x.dll docs/readme.txt Renames: 2 Entries: 3
Windows-forbidden characters
Names exported from macOS or Linux often contain characters NTFS refuses. Each forbidden character is individually replaced with an underscore; the rest of the name is untouched.
Input: report:final|v2.docx what<is>this?.txt notes"quoted".md Output: report_final_v2.docx what_is_this_.txt notes_quoted_.md Renames: 3
Reserved device names
Windows reserves these names even with an extension. The sanitiser checks the stem (text before the first dot), upper-cased, against the reserved set and prefixes an underscore.
Input: CON.txt data/aux.log com1 LPT2.csv Output: _CON.txt data/_aux.log _com1 _LPT2.csv (Note: COM5–COM9 and LPT3–LPT9 are NOT in the set — they pass through.)
NUL byte and control characters
Malformed or hostile archives sometimes embed NUL or other C0 control bytes inside names. NUL is deleted outright; the remaining controls (tab, newline, etc.) become underscores.
Input (control bytes shown as escapes): evil\0.sh line\tbreak\n.txt Output: evil.sh line_break_.txt Renames: 2
Already-clean archive
If nothing needs changing, the tool still re-zips and reports zero renames. The output is a plain ZIP even if the input was a 7z or tar.
Input (project.7z): src/main.ts src/util.ts README.md Output (project-sanitized.zip): src/main.ts src/util.ts README.md Renames: 0 Entries: 3
Edge cases and what actually happens
Input ZIP is password-protected
Read errorThe sanitiser reads through extractAnyArchive without supplying a password. An encrypted ZIP therefore fails to extract and the run errors out. Decrypt it first, then sanitise. To go the other way (create an encrypted ZIP) see encrypted-zip-creator.
File over the 50 MB free-tier cap
413 rejectedFree tier allows 50 MB and 500 entries per archive. A larger or busier archive is rejected before processing. Pro raises this to 500 MB / 50,000 entries, Pro-media and Developer to 2 GB / 500,000 entries.
Archive has more than 500 entries (free)
Entry limit rejectedThe per-archive entry-count limit is separate from the size limit. A 10 MB ZIP with 600 tiny files still trips the free 500-entry cap. Upgrade or split the archive first.
Two different names sanitise to the same safe name
Last write winsIf a:b.txt and a?b.txt both become a_b.txt, they map to the same key in the output and the second entry's data overwrites the first. The tool does not de-duplicate or suffix collisions — check the rename count against the original entry count if this matters.
Single dot in a filename
PreservedOnly runs of two or more dots collapse. v1.2.3.tar keeps every single dot; archive..bak becomes archive_bak. This is intentional so normal extensions survive.
Output is always ZIP
By designFeed in a .7z, .rar, or .tar.gz and you still get a .zip back. The tool reads many formats but writes only ZIP via fflate. If you need the original container format, sanitise then re-pack with folder-to-zip or convert via archive-format-converter.
COM5–COM9 / LPT3–LPT9 not escaped
Known gapThe reserved-name set is CON, PRN, AUX, NUL, COM1–COM4, LPT1–LPT2 only. Higher device numbers (COM5+, LPT3+) are valid reserved names on Windows but are not prefixed by this tool, so an entry literally named COM9 would extract as-is and Windows would reject it.
Browser blocks WebAssembly
WASM error7z, RAR, bzip2 and xz inputs need the libarchive WASM module. A strict extension or enterprise policy that blocks wasm will fail those formats. Plain ZIP, GZIP and TAR use fflate (pure JS) and are unaffected.
Corrupt or non-archive file
Detection errorIf the magic bytes don't match any known format and a last-resort ZIP parse also fails, the tool throws Could not detect or extract archive format. Verify the file isn't truncated; test it first with archive-integrity-tester.
Frequently asked questions
Is the Filename Sanitiser really free?
Yes. It runs on the free tier with no signup, up to 50 MB and 500 entries per archive. There is no cost and no upload — fflate, @zip.js/zip.js, and the libarchive WASM reader all execute in your browser.
Does my archive get uploaded anywhere?
No. Every step — reading the archive, rewriting names, re-zipping — happens locally in your browser tab. The only server interaction for signed-in users is a single anonymous 'file processed' counter for dashboard stats, which contains no file content.
What formats can it read?
ZIP, GZIP, and TAR via fflate; 7z, RAR, bzip2, and xz via a libarchive WASM module. Format is detected from the file's magic bytes. It always writes a plain ZIP back.
Will it change my file contents?
No. Only entry names are rewritten. The decompressed file data is identical, so any checksum you take of an extracted file matches the original.
What exactly does it do to a name?
Backslashes become slashes; runs of two-plus dots become _; NUL bytes are deleted; < > : " | ? * and control bytes become _; reserved device names (CON, PRN, AUX, NUL, COM1–4, LPT1–2) get a _ prefix; leading and repeated slashes are cleaned; an empty result becomes _.
Why does it output a ZIP when I gave it a 7z?
The reader supports many formats, but the writer only produces ZIP (via fflate). ZIP is the universally-extractable format. If you need to keep a different container, sanitise here then convert with archive-format-converter.
Does it remove the `..` traversal or just flag it?
It rewrites it. Every run of two or more dots collapses to a single underscore, so a traversal path is physically incapable of escaping the extraction directory after sanitising.
Can it handle a password-protected ZIP?
No. It reads without a password, so an encrypted ZIP fails to open. Decrypt it elsewhere first, then run it through the sanitiser.
What happens if two names collapse to the same safe name?
The later entry overwrites the earlier one in the output, because they share the same key. The tool does not auto-suffix collisions, so compare Renames and Entries against the original if you suspect a clash.
Does it escape every Windows reserved name?
It covers CON, PRN, AUX, NUL, COM1–COM4, and LPT1–LPT2. It does not currently prefix COM5–COM9 or LPT3–LPT9, so those rare names pass through unchanged.
How big an archive can I sanitise?
Free: 50 MB / 500 entries. Pro: 500 MB / 50,000 entries. Pro-media and Developer: 2 GB / 500,000 entries. The entry-count cap is enforced independently of the byte size.
What if I just want to strip a top-level folder, not sanitise names?
Different job — use path-prefix-remover to drop a leading directory, or empty-folder-pruner to remove empty directory entries. The sanitiser only fixes unsafe characters and traversal.
Privacy first
Every JAD Archive tool runs entirely in your browser using fflate, @zip.js/zip.js, and the libarchive WASM bridge. Your archives never leave your device — verified by zero outbound network requests during processing.