Javascript :: What Is Possible With XSS With Flashvars - How To Prevent It
Aug 19, 2010
Recently a client was concerned that their SWF was "insecure" because the XML path was coming from Flashvars. This seems to me to be something that isn't really a concern as the SWF is only displaying images / text and a few button links. I can understand how someone could path to the swf and add a remote XML path in to add javascript to the button url targets, but really what damage could this do? Eg. they could change [URL] to this [URL] Obviously they could build a fake wrapper html file around this but I still don't see how they could do anything harmful with this. Am I missing something? My next question is what is the best way to go about preventing this from happening? So far I have in my XSS checking class:
[Code]...
View 2 Replies
Similar Posts:
Jul 22, 2010
I have a flash file with an xml file as flashvars. when I use this code it works in every browser, but not in IE 7 or higher.
OBJECT classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000"
codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,0,0"
WIDTH="530" HEIGHT="410" id="usa_locator" ALIGN="">[code]....
After reading a lot, SWFObject seem to be a good option. All u need to do is:
1- Include swfobject.js in header
2- Create an empty div for the flash object to be included
<div id="myContent">
<p>Alternative content</p>
</div>[code].....
The only problem I have is: I don't know how to pass the flashvars via a url for an xml file. It seems to me that SWFObject does not support this. Instead, you need to create a list of flashvars as
var flashvars = {
name1: "hello",
name2: "world",[code]....
View 1 Replies
Jul 26, 2011
this is the code i'm working with right now:
[Code]...
View 1 Replies
Jun 3, 2011
I have a flash player embedded on page page.php?user=john using swfobject. The player calls the xml file content.php to get the results. I'm trying to get the user name from the url id. and fetch results based on that. I can get the username on page.php by doing $_GET['user'], but how can i pass that to content.php. Having read allot of articles online, i did the following,I'm embedding the flash on page.php using swfobject like this
<script type="text/javascript">
var flashvars = {user:"<?php $_GET[user] ?>"};
var so = new SWFObject("<?php echo $index->CFG['site']['url'];?>preview2.swf", "sotester",
View 2 Replies
Feb 10, 2012
I have a problem with flashvars , when I read the url from browser if I have assigned just numbers to Id (my paramter in url) ,everything works fine, but if my id includes character, then it does not work , I don't want to change anything in flash side in mxml files, I want to do it with javascript
here is my code
<script type="text/javascript">
function getQueryVariable(variable)
{
[Code]....
View 1 Replies
Feb 7, 2009
I am dealing with the HTML page where my flash movie is embedded.
So I have a JavaScript function called getURLVar() that returns a string (a variable passed in the HTML page by the URL). That part works.
What I want to do is call that JavaScript function so I can pass its results into the flashVars property where you embed your .swf.
The following does not work
<embed src="MainPage.swf" flashVars="myFlashVar=<script language="'Javascript'>getURLVar()</script>" quality="high" menu="false" bgcolor="#FFFFFF" width="800" height="600" name="test" align="middle"
[Code]...
View 1 Replies
Oct 5, 2010
I would like to update the flashvars value argument to view another video:
<param name='flashvars' value='movieId=1002' />
I found out that I can make it work in Firefox by updating the parameter with the extra step of readding the whole flash contents.
$("param[name=flashvars]").attr("value", "movieId=33");
$("embed").attr("flashvars", "movieId=33");
$(".root").append($("#video"));
But this does not work in IE8 as the browser won't refresh the flash contents. Any ideas on how to reload the flash contents without external dependencies like swfobject.js?
View 5 Replies
Feb 18, 2012
I have a rquirement where i want to play the song based on the checkbox checked.I mean i want to set the flashvars parameter of swf object on click of checkbox to play respective song.I am using the tag for this is
[Code]..
in my website. Here i want to change the flasvars dynamically on checkbox(function as radion button) checked
View 1 Replies
Dec 9, 2011
I have flex application (swf file). Does anyone one know how to autofill flex textInput from JavaScript without using flashVars? It must work in FireFox and IE.
View 1 Replies
Mar 26, 2011
So I am trying to pass anything from javascript to an object, and use flashvars to retrieve its definition. Is it even possible? Here is the code-
Javascript
Code:
var user = window.external.GetUsername;
page_request.open('GET', 'http://www.mysite/members/tb/get_avatar.php?username='+user, true);
page_request.send(null);
[code]....
Of course this doesn't work. how would I get that variable "user" that is created in the javascript code, back to flash?
View 2 Replies
May 30, 2011
I have a web page where users can play flash games. We are now making some changes to the page which requires the games to be embedded with wmode=transparent or wmode=opaque so that we can show HTML elements on-top of the flash games. The problem is that in Internet Explorer (on all versions) the whole page scrolls if a user presses the up/down arrow keys. I've tried everything I can think of and I've spent a whole day searching for a solution without success.o far I've tried putting the game inside a iframe and I tried disabling the up/down keys with JS, none of which solves my problem.
View 4 Replies
Feb 29, 2012
I need to suppress the default right click menu for flash embeds.
I've set menu to false, as well as used a stop default function on the right click event, but it still displays the menu.
Also, I don't have access to the .fla's, as the flash objects weren't created by me.
View 2 Replies
Jan 22, 2011
I'm looking for a workaround to the "AdSense does not let you choose only images but no flash" issue. I'm rather a newbie to JS, but is there any way for one script to prevent other scripts embedded in a site from detecting the presence of the flash plugin? Even if it doesn't work with AdSense, it would be nice to know if there's a hack to do this that might work in other settings.By the way, I suppose I wouldn't care if it failed to work on IE or obsolete browser versions.
View 1 Replies
May 2, 2011
The following doesn't work (although it gives no explicit error), but why not?nd... Is there really no way around it, strictly using the with statement? Forget using for / foreach.
with (object1, object2) {
attribute = value;
method();
}
Why the code above gives no syntax error, doesn't work but is accepted by with?If it's possible, how could we change multiple objects with same attribute using with?
var object1 = { attribute: 3 };
var object2 = { attribute: 2, method: function() { alert('blah'); } };
var object3 = { method: function() {alert('bleh'); } };
[code]....
View 2 Replies
Jan 29, 2012
I need to execute some javascript string code from flash swf file using actionscript 3.
I read that it could be done by passing the javascript code to the parent html document , using externalinterface.call function. Then I assume it will be faster if I can declare functions in the javascript code in the HTML document in the first use of externalinterface.call funtion ; if flash code calls the javascript code repeatedly. So let me ask you how to do that. For details , any javascript to be loaded is unknown in design time and I can not prepare a javascript file to be loaded.
View 2 Replies
Aug 1, 2009
for some reason, whenever I dynamically load a swf on a $(document).ready() by writing to a div, I am unable to make javascript calls to the browser. Specifically, all calls to the browser return "null". This does not occur when embedding the swf normally on the page load, but I would like to prevent loading of the swf until a specified point in time.
What the heck is going on here? Is there something special about dynamically embedding a swf that prevents the swf from talking to the browser? The methods ARE called (I've proven such by showing alerts), but all return values to any function, regardless of type returned, shows as null when it gets to flash.
View 3 Replies
Sep 29, 2010
Is it possible to pass file names from a running Flash application, which only purpose is to enable multiple-file-selection, to a JavaScript application which handles upload of all files to the server?I have examined various Flash upload solutions (like SWFUpload, Uploadify, etc.) and none of them meets my needs. I want an easy to implement solution (like Uploadify) which also lets me specify various parts of the HTTP request.
The reason I need this is because my upload form uses session cookies (for user authentication) and an CSRF token both passed to the server when uploading files.Is it technically possible to pass filenames (+ paths) to a JavaScript application which then handles the upload?
View 1 Replies
May 20, 2011
Here's the challenge: I have a Flash movie which will be embedded in a page using an unknown DOM ID that I want to be able to identify/store for callback in a JS function. My ideal user flow would be: User clicks button in Flash. Flash pauses any animations / video / sounds / etc. Flash calls an injected JS function to display a page-covering overlay experience. When user closes overlay experience, a callback method on the Flash object is called. Flash resumes playback.
The problem is, when AS3 uses the ExternalInterface.call("functionName", args...) method, there doesn't seem to be a DOM event triggered, and thus it is impossible to tell which object called a JS function, so having a "registerMe()" function doesn't seem to work. Basically, the injected JS function has no way to determine which DOM object to call, because the ID of the Flash object is unknown.
[Code]...
View 3 Replies
Aug 26, 2011
i have a flash movie with 2 frames. and i would like to call an external javasscript function on frame action.
[Code]...
View 2 Replies
Apr 16, 2009
I'd like to call a javascript function from an embedded .swf file. Specifically, I'd like to call a function in one of my externally linked javascript files from within: function loadTrack(){
[Code]...
which is in an .as file which I assume somehow becomes the swf file. How would I go about this and 're-compile' the .as file?
View 3 Replies
Oct 2, 2011
I'm trying to write a web application that searches google and then downloads the result sites and parses them.The search has to be done on the client side. Without implementing a server side proxy.Can this be done using javascript/sliverlight/flash?
View 1 Replies
Feb 29, 2012
let suppose i have a object named "data" which has a callBack function named "closeItem" which does something. So i have flash file which has a close button. on click of that i am calling this function which closes this item. So issue is? If i pass this "closeItemFunction" as global function this works fine. but if a pass this function as a "data.closeItem" this doesn;t work throwing some falsh error. so i just wanna ask that "does flash only call gobal scoped javascript function" ??
View 2 Replies
Oct 23, 2009
We're currently building a Flex application using the PureMVC framework with a shell.swf which loads/unloads modules dynamically. We're experiencing issues with memory and we're looking to replace the shell.swf with a JavaScript-based loader.Two questions:What would be a good framework to dynamically load the Flex components and allow the modules to communicate between each other?Would dynamically loading/unloading the modules via JavaScript take care of the typical memory problems associated with Flex/Flash applications?
View 1 Replies
May 10, 2010
With all the recent hype about JavaScript and HTML5 replacing Flash, I wanted to know - How would it be possible to protect client-side js code? Of course, it is possible to obfuscate it, but that would only make it a little harder. Also, for games which submit high scores to the server, wouldn't it be incredibly easy to modify those scores before they are sent to the server? I know even Flash files can be decompiled, but they can be obfuscated and flash decompilation is not as easy as modifying data in JS - could be done easily using a plugin such as Firebug. I'd like to know everyone's views on this.
View 2 Replies
Jun 12, 2010
I need to achieve something like this for my website: Flash Rain Effect
Is that possible to do in Javascript? I want it to be just as smooth as it is in Flash.
View 3 Replies
Dec 19, 2010
I have a flash file that contains a package "game" which has a class "Scores" and a method setValue(). I want to write some lines of Javascript that allow me to call that method. Someone directed me to this tutorial, but I am still a bit confused.
Javascript: alert("start"); var so; so = document.embeds[0];
so.addParam("allowScriptAccess","always"); import flash.external.ExternalInterface;
ExternalInterface.call("setValue[2600]");
displays an alert to tell me that it has indeed began to execute saves the embedded flash file into a variable and sets access imports that class calls the method.I am not sure about how this class thing works? This is just the bits and pieces I was able to come up with from that site, but I don't really understand how it all works (but certainly hope to eventually).This is the site: http:[url]...how-do-i-access-flash-function-using-javascript.When I execute the code with the importation nothing happens, but the alert does come up when I don't have that statement?
View 1 Replies
Jan 4, 2011
I'm searching for free partial panorama viewer. It should be placed in somewhere in the page and it should be customizable (openSource?). So far i found pan0.net but it only supports 360 and i have priority for non 360...
View 2 Replies
Aug 5, 2011
I'm wondering if its possible to do what I'm thinking, and if it is possible, does anyone know of a flash object that does what I need? I know a Flash object can provide a javascript API to interact with it, what I dont know is can Flash send an email directly without the need to talk to the webserver to do so? If thats possible would it not be possible to write a flash object that did nothing but provide an API to send emails? Has such a thing been created that is out there for others to use?
I'm looking to create a email form on a web page but the site is static (no server scripting). In my situation server scripting is not possible as there is no server, the site is 100% client side on a CD/DVD/USB Stick.
View 4 Replies
Dec 4, 2011
I have the following class, I want to do what is in the comments.I know I can do it with conditionals.I'd like to know if there is a way of doing that dinamicaly.This code is in AS3, but I know maybe this is related to javascript because AS3 is based on ECMAScript
public class ClientStatus
{
public static const INVITED:int = 0;[code].....
View 2 Replies
Feb 10, 2012
when I moved my mouse there was a red fluid like velvet effect that followed my mouse and slowly faded.It was really cool and would love to add it to my website.
View 1 Replies
