we have
navigatetourl((new urlrequest(urltoload)), "_self"); in actionscript. urltoload received param.
urltoload = loaderinfo.parameters[param] so if call our swf
param=javascript:alert(document.domain) it show classic xss technique in as. unfortunatelly, use that. know should remove such mechanism, have wait until switch html5. did search solution on internet (google & bing), couldn't find acceptable solution.
is there way white list several of our own functions?
Comments
Post a Comment