Issue: The default markdown preview pane in formiko is vulnerable to XSS and loading arbitrary external content.

Steps to reproduce:

• Open a new instance of formiko
• Check that application is set to "Both" for the view
• Paste the below code in the editor:

<script>
localStorage.setItem('test','i guess it renders')
document.write(localStorage.getItem('test'));
</script>
<iframe width="560" height="315" src="https://www.youtube-nocookie.com/embed/XOJAddj_SJE?controls=0" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>```

Thank's a lot, and very good point.

Problem is, that formiko use javascript for scrolling page at this moment. So this fix can't be so easy.

One can set enable-javascript-markup to FALSE. This would effectively remove all JavaScript from the page while still allowing you to run webkit_web_view_run_javascript ().