prevent XSS via buttonText

WordPress · Dec 28, 2012 · f6e5097 · f6e5097
1 parent 17a52f4
commit f6e5097
Showing 1 changed file with 10 additions and 3 deletions.
diff --git a/core/Flash/SWFUpload.as b/core/Flash/SWFUpload.as
@@ -26,6 +26,8 @@ package {
 	import flash.text.TextFormat;
 	import flash.ui.Mouse;
 	import flash.utils.Timer;
+	import flash.xml.XMLNode;
+	import flash.xml.XMLNodeType;
 
 	import FileItem;
 	import ExternalCall;
@@ -231,7 +233,7 @@ package {
 			this.stage.addChild(this.buttonCursorSprite);
 
 			// Get the movie name
-			this.movieName = root.loaderInfo.parameters.movieName || '';
+			this.movieName = root.loaderInfo.parameters.movieName || '';
 			this.movieName = this.movieName.replace(/[^a-zA-Z0-9\_\.\-]/g, "");
 
 			// **Configure the callbacks**
@@ -348,7 +350,8 @@ package {
 			}
 
 			try {
-				this.SetButtonText(String(root.loaderInfo.parameters.buttonText));
+				// HTML-escape strings that come from the user, preventing XSS.
+				this.SetButtonText(htmlEscape(String(root.loaderInfo.parameters.buttonText)));
 			} catch (ex:Object) {
 				this.SetButtonText("");
 			}
@@ -1147,7 +1150,7 @@ package {
 			var style:StyleSheet = new StyleSheet();
 			style.parseCSS(this.buttonTextStyle);
 			this.buttonTextField.styleSheet = style;
-			this.buttonTextField.htmlText = this.buttonText;
+			this.buttonTextField.htmlText = '<span class="button-text">' + this.buttonText + '</span>';
 		}
 
 		private function SetButtonTextPadding(left:Number, top:Number):void {
@@ -1516,5 +1519,9 @@ package {
 			}
 		}
 
+		public function htmlEscape(str:String):String {
+			return XML( new XMLNode( XMLNodeType.TEXT_NODE, str ) ).toXMLString();
+		}
+
 	}
 }