Advisories for Npm/@Theia/Preview package

The @theia/plugin-ext component of Eclipse Theia, Webview contents can be hijacked via postMessage().

In Eclipse Theia versions up to and including, in the notification messages there is no HTML escaping, so Javascript code can run.

In Eclipse Theia versions up to and including, in the debug console there is no HTML escaping, so arbitrary Javascript code can be injected.

The Markdown Preview can be exploited to execute arbitrary code.