I just got a bugreport for my online urldecoder
It appears I was a bit careless and people could inject HTML code that would then get executed by the browser. This is now no longer possible, as the output is run through
Just goes to prove that even the simplest of tools need a bit of care. The command line version remains unchanged.