The document history at the bottom of window renders HTML. This is a vulnerability, an attacker can inject hidden javascript to get everybody’s cookies.