This issue was addressed with improved checks. This issue is fixed in macOS Catalina 10.15, watchOS 6, iOS 13, tvOS 13. Processing maliciously crafted web content may lead to a cross site scripting attack.
https://support.apple.com/en-us/HT210634
https://support.apple.com/en-us/HT210607