Strip javascript in golang transformer

[Gregable]

Users of the packager may mistakenly transform and sign non-amp content. The AMP Cache will reject this, but for security we want some light protections against this content being usable. This issue tracks removing non-amp javascript from the document in a new transformer.

The steps we should take are:

For each <script> tag on the page, if any one of of the following is true:

• It has a src attribute whose value is not prefixed by https://cdn.ampproject.org/ (case-insensitive match).
• It has no src attribute and no type attribute (case-insensitive match).
• It has a type attribute whose value is neither application/json nor application/ld+json (case-insensitive match on both name and value).

Then, remove the <script> tag and all descendant nodes of <script> tag, including text / cdata nodes.

For example:

• <script async src="https://cdn.ampproject.org/v0.js"> should not be removed
• <script async custom-element='amp-analytics' src='https://cdn.ampproject.org/v0/amp-analytics-0.1.js'> should not be removed.
• <script src='http://example.com/example.js'> should be removed.
• <script>foo</script> should be removed
• <script type=application/javascript>foo</script> should be removed
• <script type=application/json>foo</script>should not be removed
• <script type=application/json src="https://cdn.ampproject.org/v0.js">

For every tag on the page, if the tag has an attribute with a case-insensitive prefix of on followed by another alphabetic character ([A-Za-z]), then remove that attribute. For example:

• on should not be removed.
• on-foo should not be removed
• onfoo should be removed

[Gregable]

@alin04 OK to close this or is there more that needs to be done?