@masatokinugawa was so kind to email us about a security vulnerability.
This pull implements his suggestion of using a replace(/\\/g,"\\\\") instead of split("\").join("\\")
@JamesMGreene @ptoomey3 @jnewland @mastahyeti
Interesting and annoying. Big thanks to @masatokinugawa, though!
I can write up a complementary PR for something I was working on locally, too, which ignores all loaderInfo.parameters whose keys are in the SWF query parameters.
Hardening sanitization technique in Flash
Rebuilt and squashed.
thanks @JamesMGreene 👍
I'll merge it back into the 1.x-master branch in a minute here and tag a new release for you guys.