I've been working with the widget connector today and reading through the code when I noticed that the media uris are not being handled securely.
In general there is not a unified way to prevent issues like this in the widget extensions and it is up to the extension developer to provide a secure implementation of the extension. IMO it should be RenderManager's responsibility to automatically encode these URIs. Potentially all the String parameters passed into the velocity renderer could be auto encoded as well (though Anti-XSS mode will take care of this in the future).
Also while you are at it, I suggest that you change the way matches(String) is implemented in the bundled renderers.
For example instead of:
it should really be:
This means that the developer doesn't need to worry twice about creating a safe htmlUrl string and more importantly a custom renderer won't be invoked for bogus or malicious uris.
NOTE: Please do not publish this report sooner than 30 days after a fix is available