--- rxvt-unicode/src/perl/confirm-paste	2010/07/24 13:04:27	1.1
+++ rxvt-unicode/src/perl/confirm-paste	2021/10/21 06:18:41	1.11
@@ -1,21 +1,44 @@
 #! perl
 
+=head1 NAME
+
+confirm-paste - ask for confirmation before pasting control characters
+
+=head1 DESCRIPTION
+
+Displays a confirmation dialog when a paste containing control characters
+is detected.
+
+This is mostly meant as a defense-in-depth mechanism to protect against
+the common web browser bug of you selecting some text but the browser
+pasting a completely different text, which has some attack potential.
+
+It can also be useful to prevent you from accidentally pasting large
+amounts of text.
+
+=cut
+
 sub msg {
    my ($self, $msg) = @_;
 
-   $self->{overlay} = $self->overlay (0, -1, $self->strwidth ($msg), 1);
+   $self->{overlay} = $self->overlay (0, -1, $self->ncol, 2, urxvt::OVERLAY_RSTYLE, 0);
    $self->{overlay}->set (0, 0, $msg);
 }
 
 sub on_tt_paste {
    my ($self, $str) = @_;
 
-   my $count = ($str =~ tr/\012\015//);
-
-   return unless $count;
+   my $count = ($str =~ tr/\x00-\x1f\x80-\x9f//)
+      or return;
 
    $self->{paste} = \$str;
-   $self->msg ("Paste of $count lines, continue? (y/n)");
+   $self->msg ("Pasting $count control characters, continue? (y/n)");
+
+   my $preview = substr $self->locale_decode ($str), 0, $self->ncol;
+   $preview =~ s/\n/\\n/g;
+   $preview =~ s/([\x00-\x1f\x80-\x9f])/sprintf "\\x%02x", ord $1/ge;
+
+   $self->{overlay}->set (0, 1, $self->special_encode ($preview));
    $self->enable (key_press => \&key_press);
 
    1