Input not checked in DWCA validator. Potential security issue.

[GoogleCodeExporter]

What steps will reproduce the problem?
1. Go to http://tools.gbif.org/dwca-validator/
2. Populate the field for "Validate full online archive" with:
http://data.canadensys.net/ipt/resource.do?r=vascan
3. This is the URL of the resource page instead of the archive. Something I did 
by mistake.

What is the expected output? What do you see instead?
I expect a normal error page, saying the file could not be read.
Instead, the file is read anyway, with an odd bleeding effect:
1. Favicon has changed for Canadensys
2. CSS is applied where it can be targeted: links, font, etc.
3. HTML is injected: the Feedback button on the right, the whole page as a 
table in the "Scan records" section, etc.

If you try the same trick with e.g. "http://www.google.com" the effect is less 
dramatic, but those page return a "validation successful".

What version of the product are you using? On what operating system?
http://tools.gbif.org/dwca-validator/ Version 3.0-SNAPSHOT
Mac OS X. Chrome.

Please provide any additional information below.
I would sanitize some input and show an error page if a link was made to a 
non-DwC-A (e.g. any non-zip file). The potential security issue by injecting 
javascript is probably minimal, but it's still an issue.

Original issue reported on code.google.com by peter.de...@gmail.com on 27 Mar 2012 at 6:11

[GoogleCodeExporter]

A great issue indeed, Peter!

Original comment by wixner@gmail.com on 27 Apr 2012 at 8:54

• Changed state: Accepted