3 Replies Latest reply on Jan 6, 2009 7:03 AM by kglad

    Preventing actionscript attaks

    Gorka Ludlow Level 1
      So, this is the thing:
      I ask users for a URL pointing to an image (complete http request, ex. http://www.mysite.com/image.jpg) so that I store it and display later it in a flash holder (using the movieclip loader class);
      If the user inputs a URL that points to a malicious swf file (instead of an image) that has a simple getURL redirection to his website the moviecliploader will load his swf and then the actionscript will take the user viewing pictures to the malicious site.
      Is there a way to prevent this? Is there a way to load an swf dynamically yet forbid its actionscript to run?
      With the cross domain policy I can prevent the swf from accesing my loading movie's timeline and variables, yet the simple getURL works opening a pop up of the malicious website.


      P.S. - it been a while.