Mulitple Widget Connector renderers do not check URL before they are matched

XMLWordPrintable

    • Severity 2 - Major

      Many renderers in the Widget Connector are just using url.contains(MATCH_URL) to invoke the rendering service which is allowing "Web Site's Widget URL" parameters such as javascript:document.write(document.cookie);//#docs.google.com.

      Although the attempted XSS is not executed, the velocityRenderService is being called despite the invalid URL parameter.

      The parameter should go through WidgetConnectorUtil.isURLMatch(url, MATCH_URL) before it gets matched.

      To reproduce:
      enter using the standard macro markup language as follows:

      {widget:url= javascript:document.write(document.cookie);//#docs.google.com}

      Notice widget renders despite invalid url

              Assignee:
              Unassigned
              Reporter:
              PatrickA
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: