I have a flex application that needs the ability to generate and execute JavaScript. When I say this, I mean I need to execute raw JavaScript that I create in my Flex application (not just an existing JavaScript method)
我有一个flex应用程序,需要能够生成和执行JavaScript。当我说这个,我是说我需要执行,我在我的Flex应用程序创建原始的JavaScript(不只是现有的JavaScript方法)
I am currently doing this by exposing the following JavaScript method:
我目前通过公开以下JavaScript方法来做到这一点:
function doScript(js){ eval(js);}
I can then do something like this in Flex (note: I am doing something more substantial then an alert box in the real Flex app):
然后,我可以在Flex中做这样的事情(注意:我正在做一些比真正的Flex应用程序中的警报框更重要的事情):
ExternalInterface.call("doScript","alert('foo'));
My question is does this impose any security risk, I am assuming it's not since the Flex and JasvaScript all run client side...
我的问题是这是否会带来任何安全风险,我假设它不是因为Flex和JasvaScript都运行客户端...
Is there a better way to do this?
有一个更好的方法吗?
6 个解决方案
#1
7
There's no need for the JavaScript function, the first argument to ExternalInterface
can be any JavaScript code, it doesn't have to be a function name (the documentation says so, but it is wrong).
不需要JavaScript函数,ExternalInterface的第一个参数可以是任何JavaScript代码,它不必是函数名(文档说明如此,但它是错误的)。
Try this:
ExternalInterface.call("alert('hello')");
#2
1
This isn't inherently dangerous, but the moment you pass any user-provided data into the function, it's ripe for a code injection exploit. That's worrisome, and something I'd avoid. I think a better approach would be to only expose the functionality you need, and nothing more.
这本身并不危险,但是当您将任何用户提供的数据传递给函数时,代码注入漏洞已经成熟。那令人担忧,我会避免的。我认为更好的方法是仅公开您需要的功能,仅此而已。
#3
0
As far as I know, and I'm definately not a hacker, you are completely fine. Really, if someone wanted to, they could exploit your code anyway clientside, but i don't see how they could exploit your server side code using javascript (unless you use server side javascript)
据我所知,我肯定不是黑客,你完全没问题。真的,如果有人想,他们可以在客户端利用你的代码,但我不知道他们如何使用javascript利用你的服务器端代码(除非你使用服务器端javascript)
#4
0
I don't see where this lets them do anything that they couldn't do already by calling eval. If there's a security hole being introduced here, I don't see it.
我没有看到这可以通过调用eval让他们做任何他们不能做的事情。如果这里引入了安全漏洞,我看不到它。
#5
0
Remember also that the script actions are controlled by the "AllowScriptAccess" tag in the statement. If the web page doesn't want these actions, they should not permit scripts to call out.
还要记住,脚本操作由语句中的“AllowScriptAccess”标记控制。如果网页不需要这些操作,则不应允许脚本调用。
http://kb.adobe.com/selfservice/viewContent.do?externalId=tn_16494
#6
-1
ExternalInterface.call("eval", "alert('hello');");
#1
7
There's no need for the JavaScript function, the first argument to ExternalInterface
can be any JavaScript code, it doesn't have to be a function name (the documentation says so, but it is wrong).
不需要JavaScript函数,ExternalInterface的第一个参数可以是任何JavaScript代码,它不必是函数名(文档说明如此,但它是错误的)。
Try this:
ExternalInterface.call("alert('hello')");
#2
1
This isn't inherently dangerous, but the moment you pass any user-provided data into the function, it's ripe for a code injection exploit. That's worrisome, and something I'd avoid. I think a better approach would be to only expose the functionality you need, and nothing more.
这本身并不危险,但是当您将任何用户提供的数据传递给函数时,代码注入漏洞已经成熟。那令人担忧,我会避免的。我认为更好的方法是仅公开您需要的功能,仅此而已。
#3
0
As far as I know, and I'm definately not a hacker, you are completely fine. Really, if someone wanted to, they could exploit your code anyway clientside, but i don't see how they could exploit your server side code using javascript (unless you use server side javascript)
据我所知,我肯定不是黑客,你完全没问题。真的,如果有人想,他们可以在客户端利用你的代码,但我不知道他们如何使用javascript利用你的服务器端代码(除非你使用服务器端javascript)
#4
0
I don't see where this lets them do anything that they couldn't do already by calling eval. If there's a security hole being introduced here, I don't see it.
我没有看到这可以通过调用eval让他们做任何他们不能做的事情。如果这里引入了安全漏洞,我看不到它。
#5
0
Remember also that the script actions are controlled by the "AllowScriptAccess" tag in the statement. If the web page doesn't want these actions, they should not permit scripts to call out.
还要记住,脚本操作由语句中的“AllowScriptAccess”标记控制。如果网页不需要这些操作,则不应允许脚本调用。
http://kb.adobe.com/selfservice/viewContent.do?externalId=tn_16494
#6
-1
ExternalInterface.call("eval", "alert('hello');");