Hello,
The WindowIdHtmlRenderer writes the cookie content of the dsrwid cookie
directly into the page body when using the <ds:windowId/> tag. You might
want to escape the content, do a sanity check or at least do the same
shortening the windowId request parameter has.
A small example: Having a cookie like "dsrwid--9414" with the content
"-9414'+alert('HelloWorld')+'" will open a HelloWorld alert when the
window id is "-9414".
Kind regards
Ortwin Escher
Fachreferent, Fahrzeug IT, VC-M1
IAV GmbH
Rockwellstrasse 16
38518 GIFHORN
GERMANY
Internet: http://www.iav.com
Sitz/Registered Office: Berlin,
Registergericht/Registration Court: Amtsgericht Charlottenburg,
Registernummer/Company Registration Number: HRB 21 280,
Geschäftsführer/Managing Directors: Kurt Blumenröder, Michael Schubert,
Olaf Kupke
Vorsitzender des Aufsichtsrates/Chairman of the Supervisory Board: Dr.
Harald Ludanek
