By default runcode santized document prefix but if html encode to document.write('<iframe src=file:///etc/passwd></iframe>')
then we can inserted html encoded func to html tag event like onerror
<img src>
POC:
https://drive.google.com/file/d/1_Jh133kMAqMf8AUWrrjbOqRQpHSKlVyO/view?usp=sharing
https://drive.google.com/file/d/1ek5dg4PG3rADuUPPXUOlKE6qSVGmKdZB/view?usp=sharing
<img src>
Github issue:
https://github.com/alagrede/znote-app/issues/73