从Flex执行JavaScript:这个javascript函数是危险的吗?
[英]Executing JavaScript from Flex: Is this javascript function dangerous?
问题描述
I have a flex application that needs the ability to generate and execute JavaScript. 
我有一个flex应用程序,需要能够生成和执行JavaScript。 When I say this, I mean I need to execute raw JavaScript that I create in my Flex application (not just an existing JavaScript method) 当我这样说时,我的意思是我需要执行我在Flex应用程序中创建的原始JavaScript(而不仅仅是现有的JavaScript方法)
I am currently doing this by exposing the following JavaScript method: 我目前通过公开以下JavaScript方法来做到这一点:
function doScript(js){ eval(js);}
I can then do something like this in Flex (note: I am doing something more substantial then an alert box in the real Flex app): 然后我可以在Flex中做这样的事情(注意:我正在做一些比真正的Flex应用程序中的警报框更重要的事情):
ExternalInterface.call("doScript","alert('foo'));
My question is does this impose any security risk, I am assuming it's not since the Flex and JasvaScript all run client side... 我的问题是这是否会带来任何安全风险,我假设它不是因为Flex和JasvaScript都运行客户端...
Is there a better way to do this? 有一个更好的方法吗?
6 个解决方案
解决方案1
7 已采纳 2008-08-21 17:43:48
There's no need for the JavaScript function, the first argument to ExternalInterface can be any JavaScript code, it doesn't have to be a function name (the documentation says so, but it is wrong). 不需要JavaScript函数, ExternalInterface的第一个参数可以是任何JavaScript代码,它不必是函数名(文档说明如此,但它是错误的)。
Try this: 试试这个:
ExternalInterface.call("alert('hello')");
解决方案2
1 2008-08-21 17:24:41
This isn't inherently dangerous, but the moment you pass any user-provided data into the function, it's ripe for a code injection exploit. 这本身并不危险,但是当您将任何用户提供的数据传递给函数时,代码注入漏洞已经成熟。 That's worrisome, and something I'd avoid. 这是令人担忧的,我会避免的。 I think a better approach would be to only expose the functionality you need , and nothing more. 我认为更好的方法是仅公开您需要的功能,仅此而已。
解决方案3
0 2008-08-21 17:03:22
As far as I know, and I'm definately not a hacker, you are completely fine. 据我所知,我肯定不是黑客,你完全没问题。 Really, if someone wanted to, they could exploit your code anyway clientside, but i don't see how they could exploit your server side code using javascript (unless you use server side javascript) 真的,如果有人想,他们可以在客户端利用您的代码,但我不知道他们如何使用javascript利用您的服务器端代码(除非您使用服务器端javascript)
解决方案4
0 2008-08-21 17:19:03
I don't see where this lets them do anything that they couldn't do already by calling eval. 我没有看到这可以让他们通过调用eval来做任何他们不能做的事情。 If there's a security hole being introduced here, I don't see it. 如果这里引入了安全漏洞,我看不到它。
解决方案5
0 2008-09-15 14:52:25
Remember also that the script actions are controlled by the "AllowScriptAccess" tag in the statement. 还要记住,脚本操作由语句中的“AllowScriptAccess”标记控制。 If the web page doesn't want these actions, they should not permit scripts to call out. 如果网页不需要这些操作,则不应允许脚本调出。
http://kb.adobe.com/selfservice/viewContent.do?externalId=tn_16494 http://kb.adobe.com/selfservice/viewContent.do?externalId=tn_16494
解决方案6
-1 2016-11-11 17:31:19
ExternalInterface.call("eval", "alert('hello');");
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.