Default preview is vulnerable to XSS

[oneschirm]

Issue: The default markdown preview pane in formiko is vulnerable to XSS and loading arbitrary external content.

Steps to reproduce:

• Open a new instance of formiko
• Check that application is set to "Both" for the view
• Paste the below code in the editor:

  
  <script>
  localStorage.setItem('test','i guess it renders')
  document.write(localStorage.getItem('test'));
  </script>
  <iframe width="560" height="315" src="https://www.youtube-nocookie.com/embed/XOJAddj_SJE?controls=0" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>```

[ondratu]

Thank's a lot, and very good point.

Problem is, that formiko use javascript for scrolling page at this moment. So this fix can't be so easy.

[johnfactotum]

One can set enable-javascript-markup to FALSE. This would effectively remove all JavaScript from the page while still allowing you to run webkit_web_view_run_javascript ().