diff --git a/src/trix/models/html_parser.coffee b/src/trix/models/html_parser.coffee
index 57b45db1d..793ba55a8 100644
--- a/src/trix/models/html_parser.coffee
+++ b/src/trix/models/html_parser.coffee
@@ -238,7 +238,12 @@ class Trix.HTMLParser extends Trix.BasicObject
parseTrixDataAttribute = (element, name) ->
try
- JSON.parse(element.getAttribute("data-trix-#{name}"))
+ data = JSON.parse(element.getAttribute("data-trix-#{name}"))
+
+ if data.contentType == "text/html" and data.content
+ data.content = HTMLSanitizer.sanitize(data.content).getHTML()
+
+ data
catch
{}
diff --git a/src/trix/models/html_sanitizer.coffee b/src/trix/models/html_sanitizer.coffee
index 87008ebad..d3fabb08e 100644
--- a/src/trix/models/html_sanitizer.coffee
+++ b/src/trix/models/html_sanitizer.coffee
@@ -3,7 +3,7 @@
class Trix.HTMLSanitizer extends Trix.BasicObject
DEFAULT_ALLOWED_ATTRIBUTES = "style href src width height class".split(" ")
DEFAULT_FORBIDDEN_PROTOCOLS = "javascript:".split(" ")
- DEFAULT_FORBIDDEN_ELEMENTS = "script iframe".split(" ")
+ DEFAULT_FORBIDDEN_ELEMENTS = "script iframe noscript".split(" ")
@sanitize: (html, options) ->
sanitizer = new this html, options
diff --git a/test/src/system/pasting_test.coffee b/test/src/system/pasting_test.coffee
index b08f5d94a..24b045811 100644
--- a/test/src/system/pasting_test.coffee
+++ b/test/src/system/pasting_test.coffee
@@ -53,6 +53,31 @@ testGroup "Pasting", template: "editor_empty", ->
delete window.unsanitized
done()
+ test "paste unsafe html with noscript", (done) ->
+ window.unsanitized = []
+ pasteData =
+ "text/plain": "x",
+ "text/html": "