Unfortunately, this problem that you are trying to solve has been tried numerous times and resulted in failure.
There's just too many inconsistencies in the way browsers allow loading of Javascript. Something that looks to a scanner as malevolent can actually turn up in the browser as something that ends up running.
So, unless you're somehow able to sandbox everything and able to stop causing the Javascript to poke out, it is incredibly difficult to scan for JS issues such as this one, especially when you're handling user-created HTML.
In fact, this is exactly the sort of problem why I created a Markdown no-nonsense editor instead (http://www.nimblenot.es/).
Ooh, These are good insights! (nimblenotes is great too!) Perhaps it would be possible for me to save the ZenPen output as markdown (compressed) and then re-assemble it into html on load... ideally avoiding sneaky man-edited html all together.
my first thought was "Cool! Damn, not markdown." Security issues aside I think you'd addressed the use case for the "common man" well. I (and I think many of the geeks here) would prefer a markdown variant though. No selecting and clicking to bold things, no reaching for the mouse, etc. That being said, a the ability to bold and italicize without leaving the keyboard are pretty standard text editor features at this point that ZenPen would do well to incorporate and the functionality would be reusable in a markdown variant too.
There's just too many inconsistencies in the way browsers allow loading of Javascript. Something that looks to a scanner as malevolent can actually turn up in the browser as something that ends up running.
So, unless you're somehow able to sandbox everything and able to stop causing the Javascript to poke out, it is incredibly difficult to scan for JS issues such as this one, especially when you're handling user-created HTML.
In fact, this is exactly the sort of problem why I created a Markdown no-nonsense editor instead (http://www.nimblenot.es/).