`

JavaScript and VBScript Injection in AS3(1)

阅读更多

AS3 Script Injection: Introduction

    In AS3 Script Injection, complete and unmodified JavaScript and/or VBScript functions, class objects and applications are stored inside AS3 files using XML, and are then parsed, sent to the browser, and executed, allowing Flash and Flex developers to create a robust browser experience without the need to rely on server-side support scripts.

    This tutorial will show how to inject and execute complete JavaScripts and VBScripts into a webpage through ActionScript 3's ExternalInterface Class. In addition, we will show how to store and modify complete JavaScript and VBScript scripts directly within AS3 sourcecode, where they may be safely kept until needed. Most of the techniques here may also be applied to AS2 applications with some minor modifications (which will be discussed).

ActionScript-based Script Injection offers the following benefits to developers:

  • Server independence: SWF files may be hosted anywhere, and will simply add their own JavaScript-support files wherever they need them.
  • Script Security: JavaScript and VBScript files are stored within the SWF, and as such are not normally subject to being read and/or modified without the developers consent.
  • Transparency: Properly-written, Injected Scripts exist only during their execution, and then automatically garbage-collect themselves when they are no longer needed. And since they are executed anonymously, there's no danger of accidentally overwriting existing scripts on the webpage – unless you want to.
  • Runtime Script Modification: Scripts may be modified like strings at runtime to address specific needs, unlike server-based scripts which are essentially static.
  • On-Demand Scripting: Scripts are only injected into webpages when needed, conserving system resources.
  • Compression: lengthy JavaScripts may take advantage of SWF compression: e.g. a 32k JavaScript file is only 5k when stored inside a SWF.

    This is an ideal solution for Flash/Flex developers who need JavaScript to interact with the user's browser, but might not have full access to the webpage or server that their SWF application is actually hosted on. Flash Ads, YouTube-style video players, and games that may be hosted across multiple (and possibly unforseen) webpages are the first things that come to mind, but other possibilities abound.

Additionally, because the JavaScript files are stored within Flash and not externally, they are given a certain amount of anonymity and protection from being read and/or manipulated by third parties, and may take advantage of SWF compression.

    Finally, because the scripts are inherently attached to Flash and exist as editable data within the AS3 file, they can be modified at runtime by the Flash application to create custom-tailored solutions based on specific needs, something that is difficult with generic server- and web-encoded scripting solutions.

Note: ActionScript Script Injection should not be confused with the hacker exploit of the same name, also known as Cross-Site Scripting or XSS. While the underlying concepts are similar, the implementation, intent and (above all) security differ greatly. ActionScript-based Script Injection is internal and available only to the Flash developer, as opposed to Hacker Injection, in which otherwise legitimate URLs are "packed" with executable third-party JavaScript code and launched at public Flash sites.

   In the hands of a legitimate developer, AS3 Script Injection is a powerful tool that blurs the boundaries between Flash, webpages, the server, and the browser.

  AS3 Script Injection: The Basics

   Let's begin with a succinct definition of what we are about to do:

"In AS Script Injection, complete and unmodified JavaScript and/or VBScripts are stored inside AS3 files using XML, and are then parsed and sent to the browser, typically using the ExternalInterface class."

That's all there is to it. Of course, getting it all to actually work is the trick, and that's what this tutorial is all about.

Before we dive in, however, we must first dispel some common misconceptions about the ExternalInterface class:

  1. Flash's ExternalInterface can only call named functions.
  2. Called functions must already be on the webpage in <SCRIPT> tags. 
  3. ExternalInterface only works with global functions.
  4. In browsers, ExternalInterface only works with JavaScript .

None of these are true, as we shall soon see:

False: Flash's ExternalInterface can only use named functions, and they must already be on the webpage inside <SCRIPT> tags.

Nothing could be further from the truth! ExternalInterface works by taking your supplied string and performing a JavaScript eval() on it, forcing the browser to see the string as a JavaScript function of the same name (if one exists). It then executes a call() on that function, adding any arguments you supplied.

The first key to script injection is that initial eval() statement; JavaScript 's eval function is far more powerful than ActionScript's, and will attempt to turn literally any string passed to it into a proper value, object or function. The only problem is that eval() only interprets a single entity (i.e. a single var, object, or function name) … send it two or more of these entities and it crashes.

This leads us to the second key element: the fact that JavaScript, like ActionScript, can "wrap" almost any number of individual entities within a single anonymous function. The eval() will see only this "Wrapper Function" (a single entity), but will happily interpret everything inside of it. That's dolomite baby!

Because of this, ExternalInterface can not only interact with unnamed functions, it can send them, execute them, and even get a result from them. Consider the following examples. We'll start with the "traditional" use of ExternalInterface, and build our way up to an Injected Script complete with Wrapper Function.

Traditionally, ExternalInterface takes a single string to be evaluated as a function name, and any number of optional arguments (primitives or simple objects), as shown below:

ExternalInterface.call("alert", "foo")

 This "normal" form of ExternalInterface executes the JavaScript "alert()" function from Flash, and will display "foo" as the alert-text. But you can also write it like this, and it will function the exact same way:

 

  

分享到:
评论

相关推荐

    js 实现 在JavaScript运行VBScript函数

    js 实现 在JavaScript运行VBScript函数! 值得下载看看!资源免费,大家分享!!

    javascript vbscript 实例 3D

    在压缩包中的四个HTML文件(style4.html、style1.html、style3.html、style2.html)可能包含了使用JavaScript或VBScript实现的3D实例代码。这些文件可能展示了如何使用这两种语言创建3D元素、变换、动画,以及如何与...

    css,DHTML,javascript,vbscript 全套手册

    这套“css,DHTML,javascript,vbscript 全套手册”包含了Web开发中的关键组成部分,对于开发者来说是宝贵的参考资料。无论是在学习阶段还是实际工作中,都能提供即时的帮助和解决方案。手册中的内容可能涵盖了各个...

    javascript和VBScript调试工具v1.0 推荐

    1. **源代码查看与编辑**:用户可以查看和编辑JavaScript或VBScript代码,以便进行调试。 2. **断点设置**:在代码的关键位置设置断点,允许程序在特定点暂停执行,以便检查当前变量的状态。 3. **步进执行**:...

    javascript 和 vbscript 中文参考 帮助文件

    1. **平台支持**:JavaScript 主要应用于 Web 浏览器,而 VBScript 多用于 Windows 环境。 2. **类型系统**:JavaScript 是动态类型,VBScript 是静态类型。 3. **继承机制**:JavaScript 采用原型链,VBScript 使用...

    Javascript,Vbscript,DHtml全套手册(CHM)

    JavaScript、VBScript和DHTML是Web开发中的核心技术,它们各自扮演着不同的角色,共同构建了动态、交互式的网页。这份“Javascript, VBscript, DHtml全套手册”为开发者提供了全面的参考资料。 首先,JavaScript是...

    集中了javascript,vbscript,以及windows脚本的脚本大全chm格式帮助文档

    1. JavaScript和VBScript的入门指南,包括语法基础、变量、数据类型和控制结构。 2. 对象和数组的使用,包括内置对象和自定义对象。 3. 函数的创建和调用,以及作用域和闭包的概念。 4. DOM(Document Object Model...

    计算机软件-编程源码-Javascript_VBScript教程专栏.zip

    1. **运行环境**:JavaScript 主要在浏览器环境中运行,而VBScript 主要应用于Windows系统和ASP服务器。 2. **标准支持**:JavaScript 有ECMAScript标准,跨平台性更强;VBScript 则是Microsoft的专有技术。 3. **...

    Javascript与vbscript数据共享

    JavaScript 和 VBScript 是两种不同的脚本语言,它们在 Web 开发中用于客户端的交互和动态内容处理。在早期的浏览器环境中,尤其是 Internet Explorer,JavaScript 和 VBScript 的混合使用较为常见,因为它们都支持...

    VBScript程序员参考手册(第3版)(英文)_Vbscript_

    1. **基础语法**:VBScript的基本数据类型(如字符串、数值、布尔值)、变量声明与赋值、常量定义、运算符的使用,以及流程控制语句(如If...Then...Else、For...Next、Do...Loop)。 2. **函数与过程**:VBScript...

    一个MFC调用脚本的类(javascript ,vbscript).txt

    一个MFC调用脚本的类(javascript ,vbscript).txt

    Data Visualization with Python and JavaScript.azw3

    Learn how to turn raw data into rich, interactive web visualizations with the powerful combination of Python and JavaScript. With this hands-on guide, author Kyran Dale teaches you how build a basic ...

    Mastering.JavaScript.1785281348

    loops, and best practices on using types and data structures, as well as the coding style and recommended code organization patterns in JavaScript. The book will also teach you how to use arrays and ...

    JavaScript 脚本编辑软件,有着丰富的代码编辑功能(JavaScript, HTML, CSS, VBScript, PHP ,ASP(Net)语法加亮)

    JavaScript脚本编辑软件是开发人员日常工作中不可或缺的工具,它为编写、调试和优化JavaScript代码提供了极大的便利。本文将深入探讨这款集成了多种语言语法加亮功能的编辑软件,包括JavaScript、HTML、CSS、...

    asp帮助大全(内涵多个帮助文档,javascript,vbscript,html等帮助文档)

    3. ASP脚本语言:VBScript和JScript的基本语法、变量、数据类型、控制结构、函数和错误处理。 4. ASP服务器控件:如Label、TextBox、Button等,以及它们在网页中的应用。 5. ASP数据库访问:通过ADO(ActiveX Data ...

    JavaScript and JSON Essentials

    JSON(JavaScript对象表示法)作为一种轻量级的数据交换格式,在这种背景下应运而生。JSON是一种基于文本的轻量级代码,用于创建对象并便于在互联网上传输数据,它的语法是JavaScript的一个子集,且自1999年标准化...

Global site tag (gtag.js) - Google Analytics