All geek questions in one place

Running JavaScript from Flex: Is this javascript function dangerous?

I have a flex application that requires the ability to generate and execute JavaScript. When I say this, I mean that I need to execute the raw JavaScript that I create in my Flex application (and not just the existing JavaScript method)

I am currently doing this by exposing the following JavaScript method:

function doScript(js){ eval(js);}

Then I can do something similar in Flex (note: I am doing something more substantial than the warning field in a real Flex application):

 ExternalInterface.call("doScript","alert('foo'));

My question is that this poses any security risk, I assume that it is not, since Flex and JasvaScript all work on the client side ...

Is there a better way to do this?

+4
source share
6 answers

There is no need for a JavaScript function, the first ExternalInterface argument can be any JavaScript code, it should not be the name of the function (the documentation says so, but it’s wrong).

Try the following:

 ExternalInterface.call("alert('hello')");
+7
source

This is not inherently dangerous, but the moment you pass any data provided by the user to the function, they are ripe for an exploit for injecting code. This is alarming, and I would avoid. I think the best approach would be to expose only those features that you need, and nothing more.

+1
source

As far as I know, and I'm definitely not a hacker, you're fine. In fact, if someone wanted to, they could use your code anyway clients, but I don’t see how they can use your server side code using javascript (unless you use javascript on the server side)

0
source

I do not see where this allows them to do everything that they could not do by calling eval. If a security hole is entered here, I do not see it.

0
source

Remember also that script actions are controlled by the "AllowScriptAccess" tag in the instruction. If the web page does not want these actions, they should not allow scripts to invoke.

http://kb.adobe.com/selfservice/viewContent.do?externalId=tn_16494

0
source 
 ExternalInterface.call("eval", "alert('hello');");
-1
source

Source: https://habr.com/ru/post/1276396/

More articles:


All Articles