It is possible to display custom text content on any Piwik instance as follows:
Reported to security team:
http://demo.piwik.org is vulnerable to Content spoofing and exploitable to all users. *Description:-* Content Spoofing An attack technique used to trick a user into thinking that fake web site content is legitimate data and is an attack targeting a user made possible by an injection vulnerability in a web application. When an application does not properly handle user supplied data, an attacker can supply content to a web application, typically via a parameter value, that is reflected back to the user. Vulnerable URL- http://demo.piwik.org/index.php?module=Proxy&action=redirect&url= (Text Here)
I wanted to publicly acknowledge this limited security issue - maybe you have a suggestion on how this should be fixed, or whether we should fix it at all?
its not a security issue. it is a bug in the code
simple code rearrange will fix this issue. created a pull request #8719
which will fix this