What?
"content will now validated before the encryption"
Lets get this right. The attack is: attacker sends malicious content to victim which automatically executes on victim's computer. And their claimed "fix" is to validate the content in Javascript on the *attackers* computer???!!! Javascript that the attacker could easily modify or bypass.
The proper fix is to make the receiver (victim) side *not automatically run executable content*.