@@ -49,13 +49,13 @@ package {
4949
5050 // Allow the SWF object to communicate with a page on a different origin than its own (e.g. SWF served from CDN)
5151 if (flashvars. trustedOrigins && typeof flashvars. trustedOrigins === "string" ) {
52- var origins: Array = flashvars . trustedOrigins . split ( " \\ " ) . join ( " \\\\ " ). split ("," );
52+ var origins: Array = ZeroClipboard . sanitizeString(flashvars . trustedOrigins ). split ("," );
5353 flash. system. Security . allowDomain . apply (null , origins);
5454 }
5555
5656 // Enable complete AMD (e.g. RequireJS) and CommonJS (e.g. Browserify) support
5757 if (flashvars. jsModuleId && typeof flashvars. jsModuleId === "string" ) {
58- jsModuleId = flashvars . jsModuleId . split ( " \\ " ) . join ( " \\\\ " );
58+ jsModuleId = ZeroClipboard . sanitizeString(flashvars . jsModuleId );
5959 }
6060
6161 // invisible button covers entire stage
@@ -83,6 +83,16 @@ package {
8383 dispatch("load" , ZeroClipboard. metaData());
8484 }
8585
86+ // sanitizeString
87+ //
88+ // This private function will accept a string, and return a sanitized string
89+ // to avoid XSS vulnerabilities
90+ //
91+ // returns an XSS safe String
92+ private static function sanitizeString (dirty :String ): String {
93+ return dirty. replace (/ \\ / g ,"\\\\ " )
94+ }
95+
8696 // mouseClick
8797 //
8898 // The mouseClick private function handles clearing the clipboard, and
@@ -99,7 +109,7 @@ package {
99109
100110 // signal to the page it is done
101111 dispatch("complete" , ZeroClipboard. metaData(event, {
102- text : clipText . split ( " \\ " ) . join ( " \\\\ " )
112+ text : ZeroClipboard . sanitizeString(clipText )
103113 }));
104114
105115 // reset the text
0 commit comments