Weebly is a drag and drop website builder and allows developers to create custom widgets that users can add and drag onto their pages. These custom widgets can contain javascript for interactivity.
These widgets are not enclosed in an iframe and are inserted straight onto the page.
Besides manually auditing the submitted javascript code when adding the custom element to the App Center, is it possible for them to contain or sandbox the widget without an iframe if it contains malicious code?
