A number of renderer classes used by the widget macro were previously identified that contained URL validation flaws leading to persistent cross-site scripting (XSS) vulnerabilities.

The modified classes now make use of the isUrlMatch method from the WidgetConnectorUtil class in the implementation of the matches method required by the WidgetRenderer interface. Internally, isUrlMatch constructs a standard Java URL object and testing indicates that this throws a MalformedURLException when provided with a maliciously constructed URL that could lead to XSS.

The DailyMotionRenderer class does not currently make use of the isUrlMatch method and simply uses the contains method from the String class to check for a matching URL. Furthermore, the final URL returned by the getEmbedUrl method (passed directly to velocityRenderService.render to create the HTML returned to the client) simply replaces a substring of the untrusted input parameter, allowing a malicious URL scheme at the start of the URL to remain intact.

The following value for the "Web Site's Widget URL" parameter of the widget macro demonstrates XSS:

javascript:document.write(document.cookie);//#dailymotion.com

Note that in testing this value could not be successfully set via the GUI macro editor and was instead entered using the standard macro markup language as follows:

{widget:url= javascript:document.write(document.cookie);//#dailymotion.com}