From e7c1761f7ca2710a398997c5d2efae32ad701ffd Mon Sep 17 00:00:00 2001
From: hackademix
Date: Sun, 21 Jul 2019 23:29:19 +0200
Subject: Restore "classic" pasted HTML sanitization feature (patch by barbaz
 with slight modifications).

---
 src/content/sanitizePaste.js | 58 ++++++++++++++++++++++++++++++++++++++++++++
 src/manifest.json            |  3 ++-
 2 files changed, 60 insertions(+), 1 deletion(-)
 create mode 100644 src/content/sanitizePaste.js

(limited to 'src')

diff --git a/src/content/sanitizePaste.js b/src/content/sanitizePaste.js
new file mode 100644
index 0000000..703f5b3
--- /dev/null
+++ b/src/content/sanitizePaste.js
@@ -0,0 +1,58 @@
+'use strict';
+
+window.addEventListener("paste", e => {
+  let data = e.clipboardData;
+  let html =  data.getData("text/html");
+  let t = e.target;
+  if (t.nodeType !== 1) t = t.parentElement;
+
+  try {
+    let node = t.cloneNode();
+
+    node.innerHTML = html;
+
+    if (sanitizeExtras(node)) {
+      let sanitized = node.innerHTML;
+      setTimeout(function() { try {
+        if (sanitizeExtras(t)) {
+          console.log(`[NoScript] Sanitized\n<PASTE>\n${html}\n</PASTE>to\n<PASTE>\n${t.innerHTML}\n</PASTE>`, t);
+        }
+      } catch(ex) {
+       console.log(ex);
+     }}, 0);
+    }
+  } catch(ex) {
+    console.log(ex);
+  }
+
+  function removeAttribute(node, name, value = node.getAttribute(name)) {
+    node.setAttribute(`data-noscript-removed-${name}`, value);
+    node.removeAttribute(name);
+  }
+
+  function sanitizeExtras(el) {
+    let ret = false;
+
+    // remove attributes from forms
+    for (let f of el.getElementsByTagName("form")) {
+      for (let a of f.attributes) {
+        f.removeAttribute(a.name);
+        ret = true;
+      }
+    }
+
+    let urlAttributes = ['href', 'to', 'from', 'by', 'values'];
+    let selector = urlAttributes.map(a => `[${a}]`).join(',');
+    for (let node of el.querySelectorAll(selector)) {
+      for (let name of urlAttributes) {
+        let value = node.getAttribute(name);
+        if (/^\W*(?:(?:javascript|data):|https?:[\s\S]+[[(<])/i.test(unescape(value))) {
+          node.setAttribute(`data-noscript-removed-${name}`, value);
+          node.removeAttribute(name);
+          ret = true;
+        }
+      }
+    }
+    return ret;
+  }
+}, true);
diff --git a/src/manifest.json b/src/manifest.json
index caba4ce..c0fdcb2 100644
--- a/src/manifest.json
+++ b/src/manifest.json
@@ -94,7 +94,8 @@
         "content/PlaceHolder.js",
         "content/embeddingDocument.js",
         "content/webglHook.js",
-        "content/media.js"
+        "content/media.js",
+        "content/sanitizePaste.js"
       ]
     },
     {
-- 
cgit v1.2.3