Anki does take some steps to limit the damage malicious JS could do - JS has access only to a small API outside of the webview, and AnkiWeb runs it on a separate domain. But having said that, an option to disable JS completely may well come in the future.