`

JavaScript and VBScript Injection in ActionScript

    博客分类:
  • Flex
阅读更多

In AS3 Script Injection, complete and unmodified JavaScript and/or VBScript functions, class objects and applications are stored inside AS3 files using XML, and are then parsed, sent to the browser, and executed, allowing Flash and Flex developers to create a robust browser experience without the need to rely on server-side support scripts.

This tutorial will show how to inject and execute complete JavaScripts and VBScripts into a webpage through ActionScript 3's ExternalInterface Class. In addition, we will show how to store and modify complete JavaScript and VBScript scripts directly within AS3 sourcecode, where they may be safely kept until needed. Most of the techniques here may also be applied to AS2 applications with some minor modifications (which will be discussed).

ActionScript-based Script Injection offers the following benefits to developers:

  • Server independence: SWF files may be hosted anywhere, and will simply add their own JavaScript-support files wherever they need them.
  • Script Security: JavaScript and VBScript files are stored within the SWF, and as such are not normally subject to being read and/or modified without the developers consent.
  • Transparency: Properly-written, Injected Scripts exist only during their execution, and then automatically garbage-collect themselves when they are no longer needed. And since they are executed anonymously, there's no danger of accidentally overwriting existing scripts on the webpage – unless you want to.
  • Runtime Script Modification: Scripts may be modified like strings at runtime to address specific needs, unlike server-based scripts which are essentially static.
  • On-Demand Scripting: Scripts are only injected into webpages when needed, conserving system resources.
  • Compression: lengthy JavaScripts may take advantage of SWF compression: e.g. a 32k JavaScript file is only 5k when stored inside a SWF.

This is an ideal solution for Flash/Flex developers who need JavaScript to interact with the user's browser, but might not have full access to the webpage or server that their SWF application is actually hosted on. Flash Ads, YouTube-style video players, and games that may be hosted across multiple (and possibly unforseen) webpages are the first things that come to mind, but other possibilities abound.

Additionally, because the JavaScript files are stored within Flash and not externally, they are given a certain amount of anonymity and protection from being read and/or manipulated by third parties, and may take advantage of SWF compression.

Finally, because the scripts are inherently attached to Flash and exist as editable data within the AS3 file, they can be modified at runtime by the Flash application to create custom-tailored solutions based on specific needs, something that is difficult with generic server- and web-encoded scripting solutions.

Note: ActionScript Script Injection should not be confused with the hacker exploit of the same name, also known as Cross-Site Scripting or XSS. While the underlying concepts are similar, the implementation, intent and (above all) security differ greatly. ActionScript-based Script Injection is internal and available only to the Flash developer, as opposed to Hacker Injection, in which otherwise legitimate URLs are "packed" with executable third-party JavaScript code and launched at public Flash sites.

In the hands of a legitimate developer, AS3 Script Injection is a powerful tool that blurs the boundaries between Flash, webpages, the server, and the browser.

 

 

Let's begin with a succinct definition of what we are about to do:

"In AS Script Injection, complete and unmodified JavaScript and/or VBScripts are stored inside AS3 files using XML, and are then parsed and sent to the browser, typically using the ExternalInterface class."

That's all there is to it. Of course, getting it all to actually work is the trick, and that's what this tutorial is all about.

Before we dive in, however, we must first dispel some common misconceptions about the ExternalInterface class:

  1. Flash's ExternalInterface can only call named functions.
  2. Called functions must already be on the webpage in <SCRIPT> tags.
  3. ExternalInterface only works with global functions.
  4. In browsers, ExternalInterface only works with JavaScript .

None of these are true, as we shall soon see:

False: Flash's ExternalInterface can only use named functions, and they must already be on the webpage inside <SCRIPT> tags.

Nothing could be further from the truth! ExternalInterface works by taking your supplied string and performing a JavaScript eval() on it, forcing the browser to see the string as a JavaScript function of the same name (if one exists). It then executes a call() on that function, adding any arguments you supplied.

The first key to script injection is that initial eval() statement; JavaScript 's eval function is far more powerful than ActionScript's, and will attempt to turn literally any string passed to it into a proper value, object or function. The only problem is that eval() only interprets a single entity (i.e. a single var, object, or function name) … send it two or more of these entities and it crashes.

This leads us to the second key element: the fact that JavaScript, like ActionScript, can "wrap" almost any number of individual entities within a single anonymous function. The eval() will see only this "Wrapper Function" (a single entity), but will happily interpret everything inside of it. That's dolomite baby!

Because of this, ExternalInterface can not only interact with unnamed functions, it can send them, execute them, and even get a result from them. Consider the following examples. We'll start with the "traditional" use of ExternalInterface, and build our way up to an Injected Script complete with Wrapper Function.

Traditionally, ExternalInterface takes a single string to be evaluated as a function name, and any number of optional arguments (primitives or simple objects), as shown below:

ExternalInterface.call("alert", "foo")

  

This "normal" form of ExternalInterface executes the JavaScript "alert()" function from Flash, and will display "foo" as the alert-text. But you can also write it like this, and it will function the exact same way:

ExternalInterface.call("alert('foo')")

 

The function is still executed because Flash converts the entire command into a string, sends it to the browser, then performs a JavaScript eval() on the string. The eval() recognizes this as a function, and executes it. Lucky for us, this also works with unnamed functions, so

ExternalInterface.call("function(){}")

 

is perfectly valid; the anonymous function will actually get executed in the global namespace once it hits the browser. Which means that this…

ExternalInterface.call("function(){alert('foo');}")

 

…is an equally valid way to write ExternalInterface.call("alert", "foo"), since the anonymous function will get called, and will, in turn, call our alert function. But it gets better! Knowing this trick, there's no reason we can't tuck TWO alerts inside that anonymous function:

 

ExternalInterface.call("function(){alert('foo'); alert('bar');}")

 

...which will trigger both alerts, one after the other. In fact, you can embed just about any series of JavaScript commands, functions, variable declarations etc inside a single anonymous function and it will execute, as this more complex example shows:

var js:String = "function(){function myFunc(str){alert(str);};myFunc(Foobar);}";ExternalInterface.call(js)

 

Because that example was packed as a single-line string, it's a little hard to read, so I'll explain. When fired off by call(), we first execute our anonymous wrapper function, which creates a local function called myFunc() (technically a "method" since it resides within another function), which, when called, shows another alert box, then finally executes myFunc(). Simple code: powerful implications! Here's that JavaScript again, written out normally so you can read it:

 

function(){    function myFunc(str){         alert(str);     };     myFunc('foo'); }

 

Of course, in order to actually work, all that JavaScript needs to be formatted as a string, which means we either write it out as a ridiculously long string as above, or we use concatenation and escaping as shown below...

var js:String = "function(){"
     js+="function myFunc(str){"
     js+="alert(str);};"
     js+="myFunc(Foobar);}";
   ExternalInterface.call(js)

 ...which is almost as annoying and confusing. Wouldn't it be nice to be able to write that code out directly inside Flash, as pure JavaScript, and not have to bother about string conversions?  

分享到:
评论

相关推荐

    ActionScript与JavaScript相互调用

    ### ActionScript与JavaScript相互调用 #### 概述 随着互联网技术的发展,网页设计与开发逐渐成为一门重要的技能。在这一领域中,多种脚本语言和技术被广泛应用,以实现更加丰富的用户体验。其中,ActionScript与...

    一个实现ActionScript 与JavaScript 进行相互通信的程序例子

    ActionScript主要用于创建富媒体内容,而JavaScript则广泛应用于网页动态效果和用户交互。当需要在Flash内容与网页之间进行数据交换时,就需要实现ActionScript与JavaScript之间的通信。本程序例子旨在展示这种跨...

    javascript和actionscript之间通信实例

    JavaScript 和 ActionScript 之间的通信是跨平台开发中的一个重要概念,特别是在构建富互联网应用程序(RIA)时,例如使用 Adobe Flash 平台。这两种语言虽然在不同的环境中运行,但可以通过多种技术实现交互,为...

    javascript与actionscript的交互.[课件]

    JavaScript 和 ActionScript 是两种在 Web 开发中广泛使用的脚本语言,它们分别在浏览器环境(JavaScript)和 Adobe Flash 平台(ActionScript)上运行。虽然它们语法上有许多相似之处,但它们的应用场景和交互方式...

    JavaScript与ActionScript3交互问题总结

    JavaScript与ActionScript3交互问题总结 在Web开发中,JavaScript是一种广泛使用的客户端脚本语言,而ActionScript3(AS3)则是Adobe Flash平台的核心语言。两者在不同的领域中发挥着重要作用,但有时需要进行交互...

    Design Patterns in ActionScript

    《ActionScript设计模式》是软件开发领域中针对ActionScript编程语言的一种实践指南,它深入探讨了如何在ActionScript项目中应用经典的设计模式。设计模式是软件工程中的宝贵经验总结,它们是解决常见问题的可复用...

    ActionScript与JavaScript相互调用(论文)

    ### ActionScript与JavaScript相互调用 #### 摘要 随着网络技术的发展,网页互动性的增强变得至关重要。本文探讨了如何在ActionScript与JavaScript之间实现相互调用,并借此完成一些单靠任何一种语言都无法实现的...

    ActionScript与JavaScript在教学中的相互调用.pdf

    ActionScript与JavaScript在教学中的相互调用 ActionScript是Flash中的内置编程语言,而JavaScript是网页浏览器采用的网页文本编程语言。虽然这两种编程语言不同,但是如果在教学中将二者结合起来相互调用,却可以...

    Foundation ActionScript 3.0 with Flash CS3 and Flex

    This will give you a good grounding in the new and exciting world of ActionScript 3.0 and show you how it all fits together in larger applications, allowing you to go on and build your own ...

    javascript与actionscript3.0通信实例.rar

    JavaScript 和 ActionScript 3.0 是两种不同的编程语言,它们分别在 Web 和 Flash 平台中发挥重要作用。在现代Web开发中,有时我们需要在浏览器端的JavaScript与Flash内容(使用ActionScript编写)之间进行交互,以...

    CSS中文 Flash.ActionScript.as3.0 JavaScript 语言参考

    这三本书涵盖了前端开发的核心技术,从CSS负责的视觉设计,到ActionScript提供的交互体验,再到JavaScript实现的网页动态功能。通过深入学习这些内容,开发者可以全面掌握Web开发的基本技能,为构建现代、互动且响应...

    Learning ActionScript2.0 in Flash

    《深入学习ActionScript 2.0在Flash中的应用》 一、ActionScript 2.0概览 ActionScript 2.0是Adobe Flash平台的一种强大脚本语言,它为动画和交互式媒体提供了丰富的功能。在Flash软件中,ActionScript 2.0使...

    ActionScript for Multiplayer Games and Virtual Worlds.pdf

    《ActionScript for Multiplayer Games and Virtual Worlds》是一本专注于使用ActionScript语言开发多人在线游戏和虚拟世界的书籍。ActionScript是基于ECMAScript的一个由Adobe Systems为Flash平台所发展出的编程...

    Flex4 Declarations in ActionScript

    5. Bindings and Data Binding Expressions: ActionScript中的数据绑定是声明式编程的核心之一。它允许组件的属性自动反映其依赖属性的变化,减少了手动同步数据的需要。在Flex4中,可以声明绑定表达式,实现视图和...

    ActionScript for Multiplayer Games and Virtual Worlds01

    ActionScript for Multiplayer Games and Virtual Worlds

    ActionScript菜鸟基础终极教程

    ActionScript 是一门吸收了 C++、Java 以及 JavaScript 等编程语言部分特点的新的语言。 1.1 ActionScript 的基本概念 * ActionScript 是 Flash 内置的编程语言 * ActionScript 可以指挥 Flash 影片该做什么 * ...

    ActionScript for Multiplayer Games and Virtual Worlds05

    ActionScript for Multiplayer Games and Virtual Worlds

Global site tag (gtag.js) - Google Analytics