Skip to content
This repository has been archived by the owner on Dec 10, 2020. It is now read-only.

hard coded callbacks to avoid XSS. Closes #142 #143

Merged
merged 1 commit into from
Mar 17, 2015
Merged

hard coded callbacks to avoid XSS. Closes #142 #143

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
107 changes: 57 additions & 50 deletions src/VideoJS.as
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
package{

import com.videojs.VideoJSApp;
import com.videojs.events.VideoJSEvent;
import com.videojs.structs.ExternalEventName;
Expand All @@ -20,21 +20,21 @@ package{
import flash.utils.ByteArray;
import flash.utils.Timer;
import flash.utils.setTimeout;

[SWF(backgroundColor="#000000", frameRate="60", width="480", height="270")]
public class VideoJS extends Sprite{

public const VERSION:String = CONFIG::version;

private var _app:VideoJSApp;
private var _stageSizeTimer:Timer;

public function VideoJS(){
_stageSizeTimer = new Timer(250);
_stageSizeTimer.addEventListener(TimerEvent.TIMER, onStageSizeTimerTick);
addEventListener(Event.ADDED_TO_STAGE, onAddedToStage);
}

private function init():void{
// Allow JS calls from other domains
Security.allowDomain("*");
Expand All @@ -44,11 +44,11 @@ package{
// we'll want to suppress ANY uncaught debug errors in production (for the sake of ux)
// IEventDispatcher(loaderInfo["uncaughtErrorEvents"]).addEventListener("uncaughtError", onUncaughtError);
}

if(ExternalInterface.available){
registerExternalMethods();
}

_app = new VideoJSApp();
addChild(_app);

Expand All @@ -64,9 +64,9 @@ package{
this.contextMenu = _ctxMenu;

}

private function registerExternalMethods():void{

try{
ExternalInterface.addCallback("vjs_appendBuffer", onAppendBufferCalled);
ExternalInterface.addCallback("vjs_echo", onEchoCalled);
Expand Down Expand Up @@ -94,39 +94,43 @@ package{
}
}
finally{}



setTimeout(finish, 50);

}

private function finish():void{

if(loaderInfo.parameters.mode != undefined){
_app.model.mode = loaderInfo.parameters.mode;
}

if(loaderInfo.parameters.eventProxyFunction != undefined){

// Hard coding these in for now until we can come up with a better solution for 5.0 to avoid XSS.
_app.model.jsEventProxyName = 'videojs.Flash.onEvent';
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the code that uses this doesn't need to be changed?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need to remove these settings from core.
https://github.com/videojs/video.js/blob/master/src/js/media/flash.js#L39

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I also meant whether any changes in the swf are needed where these are used. It sounds like it doesn't.

_app.model.jsErrorEventProxyName = 'videojs.Flash.onError';

/*if(loaderInfo.parameters.eventProxyFunction != undefined){
_app.model.jsEventProxyName = loaderInfo.parameters.eventProxyFunction;
}

if(loaderInfo.parameters.errorEventProxyFunction != undefined){
_app.model.jsErrorEventProxyName = loaderInfo.parameters.errorEventProxyFunction;
}
}*/

if(loaderInfo.parameters.autoplay != undefined && loaderInfo.parameters.autoplay == "true"){
_app.model.autoplay = true;
}

if(loaderInfo.parameters.preload === "none"){
_app.model.preload = false;
}

if(loaderInfo.parameters.poster != undefined && loaderInfo.parameters.poster != ""){
_app.model.poster = String(loaderInfo.parameters.poster);
}

if(loaderInfo.parameters.src != undefined && loaderInfo.parameters.src != ""){
if (isExternalMSObjectURL(loaderInfo.parameters.src)) {
_app.model.srcFromFlashvars = null;
Expand All @@ -143,35 +147,38 @@ package{
_app.model.rtmpStream = loaderInfo.parameters.rtmpStream;
}
}

if(loaderInfo.parameters.readyFunction != undefined){
try{
ExternalInterface.call(_app.model.cleanEIString(loaderInfo.parameters.readyFunction), ExternalInterface.objectID);
}
catch(e:Error){
if (loaderInfo.parameters.debug != undefined && loaderInfo.parameters.debug == "true") {
throw new Error(e.message);
}

// Hard coding this in for now until we can come up with a better solution for 5.0 to avoid XSS.
ExternalInterface.call('videojs.Flash.onReady', ExternalInterface.objectID);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For others, this is the main change.


/*if(loaderInfo.parameters.readyFunction != undefined){
try{
ExternalInterface.call(_app.model.cleanEIString(loaderInfo.parameters.readyFunction), ExternalInterface.objectID);
}
catch(e:Error){
if (loaderInfo.parameters.debug != undefined && loaderInfo.parameters.debug == "true") {
throw new Error(e.message);
}
}
}
}*/
}

private function onAddedToStage(e:Event):void{
stage.addEventListener(MouseEvent.CLICK, onStageClick);
stage.addEventListener(Event.RESIZE, onStageResize);
stage.scaleMode = StageScaleMode.NO_SCALE;
stage.align = StageAlign.TOP_LEFT;
_stageSizeTimer.start();
}

private function onStageSizeTimerTick(e:TimerEvent):void{
if(stage.stageWidth > 0 && stage.stageHeight > 0){
_stageSizeTimer.stop();
_stageSizeTimer.removeEventListener(TimerEvent.TIMER, onStageSizeTimerTick);
init();
}
}

private function onStageResize(e:Event):void{
if(_app != null){
_app.model.stageRect = new Rectangle(0, 0, stage.stageWidth, stage.stageHeight);
Expand All @@ -185,7 +192,7 @@ package{
// write the bytes to the provider
_app.model.appendBuffer(bytes);
}

private function onEchoCalled(pResponse:* = null):*{
return pResponse;
}
Expand All @@ -197,7 +204,7 @@ package{
private function onAbortCalled():*{
_app.model.abort();
}

private function onGetPropertyCalled(pPropertyName:String = ""):*{

switch(pPropertyName){
Expand All @@ -208,7 +215,7 @@ package{
case "loop":
return _app.model.loop;
case "preload":
return _app.model.preload;
return _app.model.preload;
break;
case "metadata":
return _app.model.metadata;
Expand Down Expand Up @@ -278,14 +285,14 @@ package{
break;
case "rtmpConnection":
return _app.model.rtmpConnectionURL;
break;
break;
case "rtmpStream":
return _app.model.rtmpStream;
break;
break;
}
return null;
}

private function onSetPropertyCalled(pPropertyName:String = "", pValue:* = null):void{
switch(pPropertyName){
case "duration":
Expand Down Expand Up @@ -342,7 +349,7 @@ package{
break;
}
}

private function onAutoplayCalled(pAutoplay:* = false):void{
_app.model.autoplay = _app.model.humanToBoolean(pAutoplay);
}
Expand All @@ -360,7 +367,7 @@ package{
}
ExternalInterface.call('videojs.MediaSource.open', cleanSrc, ExternalInterface.objectID);
}

private function onSrcCalled(pSrc:* = ""):void{
// check if an external media source object will provide the video data
if (isExternalMSObjectURL(pSrc)) {
Expand All @@ -375,34 +382,34 @@ package{
_app.model.src = String(pSrc);
}
}

private function onLoadCalled():void{
_app.model.load();
}

private function onPlayCalled():void{
_app.model.play();
}

private function onPauseCalled():void{
_app.model.pause();
}

private function onResumeCalled():void{
_app.model.resume();
}

private function onStopCalled():void{
_app.model.stop();
}

private function onUncaughtError(e:Event):void{
e.preventDefault();
}

private function onStageClick(e:MouseEvent):void{
_app.model.broadcastEventExternally(ExternalEventName.ON_STAGE_CLICK);
}

}
}