So you're saying ftp support could have simply been disabled by default where people who need it can simply turn it on? Also, the attack you're describing is a "cross protocol" attack for which modern browsers (at least firefox) have mitigations in place.