Tip for working around the security bug
I got a tip I’ll pass along on dealing with the OS X security bug.
If you change the protocol helper for "help" URLs, then the script should not run. I downloaded the More Internet Preference Pane and changed the handler for "help" to the Finder.
It turns out that the bug is more widespread than WebKit—even non-WebKit browsers such as Camino may be vulnerable.
(Thanks to Rob McNair-Huff of Mac Net Journal for the tip.)