Code that shows alert for non-whitelisted URLs vulnerable to XSS attacks

[rwmtse]

See gtanner's comment in blackberry-webworks#18

[adrianlee]

When sending a request to an address it seems the address is evaluated by webkit before the request goes through our request & whitelist logic.

• A request to http://rim.com', http://rim.com%, http://rim.com& and a few other combinations including possible XSS attacks such as http://rim.com');console.log('btw I can remotely execute code in your app');// will direct to a different page displaying an _Error: This webpage is unavailable. Check the URL and try again.
• When a request to a non-address like ');alert('asd');// it also directs to a different page with Error This file could not be opened. Check that you have the correct permissions and try again.
• A request to http://rim.com# will result in a a request to http://rim.com/#

I haven't tested all possibilities but I just wanted to point out this separate issue that I have come across while investigating the current XSS issue.

I've tried a couple possible XSS attacks that I come up with but I have not been able to do so successfully mainly do to the above issue I am having where requests never make it to our framework logic.

[nukulb]

Let's open another issue in that case

[adrianlee]

This is issue is blocked. Unable to test XSS properly due to issue #99.