Feature request: XSS attack protection

Hi, I’m new to Anki, and thanks for the great app. It has helped me a lot.

But it seems that the cards are vulnerable to XSS attacks. A user is easily attacked just by importing a malicious deck.

An option to disable JavaScript execution would be very helpful. Thanks for considering.

1 Like

Anki does take some steps to limit the damage malicious JS could do - JS has access only to a small API outside of the webview, and AnkiWeb runs it on a separate domain. But having said that, an option to disable JS completely may well come in the future.