Re: Just kill ALL code in a browser.
And TrueType fonts, which execute on a turing-complete VM with branches, loops, and variables.
And WOFF webfonts, which can contain TrueType, OpenType, or PostScript fonts - the latter being a complete language.
And PDF, which is basically PostScript with embedded TrueType fonts, JS scripts, JPEG and TIFF images - all fertile ground for exploits.
We are screwed.