reveal.js is vulnerable to cross-site scripting (XSS) attacks. It is possible because it does not restrict the data (such as code, description and callback) from arbitrary origins and allows the SetupPostMessage to invoke methods without validating the data.method
against any blacklisting, directly rendering as arbitrary HTML in the function showhelp
.