AS3 Script Injection: Introduction
In AS3 Script Injection, complete and unmodified JavaScript and/or VBScript functions, class objects and applications are stored inside AS3 files using XML, and are then parsed, sent to the browser, and executed, allowing Flash and Flex developers to create a robust browser experience without the need to rely on server-side support scripts.
This tutorial will show how to inject and execute complete JavaScripts and VBScripts into a webpage through ActionScript 3's ExternalInterface Class. In addition, we will show how to store and modify complete JavaScript and VBScript scripts directly within AS3 sourcecode, where they may be safely kept until needed. Most of the techniques here may also be applied to AS2 applications with some minor modifications (which will be discussed).
ActionScript-based Script Injection offers the following benefits to developers:
- Server independence: SWF files may be hosted anywhere, and will simply add their own JavaScript-support files wherever they need them.
- Script Security: JavaScript and VBScript files are stored within the SWF, and as such are not normally subject to being read and/or modified without the developers consent.
- Transparency: Properly-written, Injected Scripts exist only during their execution, and then automatically garbage-collect themselves when they are no longer needed. And since they are executed anonymously, there's no danger of accidentally overwriting existing scripts on the webpage – unless you want to.
- Runtime Script Modification: Scripts may be modified like strings at runtime to address specific needs, unlike server-based scripts which are essentially static.
- On-Demand Scripting: Scripts are only injected into webpages when needed, conserving system resources.
- Compression: lengthy JavaScripts may take advantage of SWF compression: e.g. a 32k JavaScript file is only 5k when stored inside a SWF.
This is an ideal solution for Flash/Flex developers who need JavaScript to interact with the user's browser, but might not have full access to the webpage or server that their SWF application is actually hosted on. Flash Ads, YouTube-style video players, and games that may be hosted across multiple (and possibly unforseen) webpages are the first things that come to mind, but other possibilities abound.
Additionally, because the JavaScript files are stored within Flash and not externally, they are given a certain amount of anonymity and protection from being read and/or manipulated by third parties, and may take advantage of SWF compression.
Finally, because the scripts are inherently attached to Flash and exist as editable data within the AS3 file, they can be modified at runtime by the Flash application to create custom-tailored solutions based on specific needs, something that is difficult with generic server- and web-encoded scripting solutions.
Note: ActionScript Script Injection should not be confused with the hacker exploit of the same name, also known as Cross-Site Scripting or XSS. While the underlying concepts are similar, the implementation, intent and (above all) security differ greatly. ActionScript-based Script Injection is internal and available only to the Flash developer, as opposed to Hacker Injection, in which otherwise legitimate URLs are "packed" with executable third-party JavaScript code and launched at public Flash sites.
In the hands of a legitimate developer, AS3 Script Injection is a powerful tool that blurs the boundaries between Flash, webpages, the server, and the browser.
AS3 Script Injection: The Basics
Let's begin with a succinct definition of what we are about to do:
"In AS Script Injection, complete and unmodified JavaScript and/or VBScripts are stored inside AS3 files using XML, and are then parsed and sent to the browser, typically using the ExternalInterface class."
That's all there is to it. Of course, getting it all to actually work is the trick, and that's what this tutorial is all about.
Before we dive in, however, we must first dispel some common misconceptions about the ExternalInterface class:
- Flash's ExternalInterface can only call named functions.
- Called functions must already be on the webpage in <SCRIPT> tags.
- ExternalInterface only works with global functions.
- In browsers, ExternalInterface only works with JavaScript .
None of these are true, as we shall soon see:
False: Flash's ExternalInterface can only use named functions, and they must already be on the webpage inside <SCRIPT> tags.
Nothing could be further from the truth! ExternalInterface works by taking your supplied string and performing a JavaScript eval() on it, forcing the browser to see the string as a JavaScript function of the same name (if one exists). It then executes a call() on that function, adding any arguments you supplied.
The first key to script injection is that initial eval() statement; JavaScript 's eval function is far more powerful than ActionScript's, and will attempt to turn literally any string passed to it into a proper value, object or function. The only problem is that eval() only interprets a single entity (i.e. a single var, object, or function name) … send it two or more of these entities and it crashes.
This leads us to the second key element: the fact that JavaScript, like ActionScript, can "wrap" almost any number of individual entities within a single anonymous function. The eval() will see only this "Wrapper Function" (a single entity), but will happily interpret everything inside of it. That's dolomite baby!
Because of this, ExternalInterface can not only interact with unnamed functions, it can send them, execute them, and even get a result from them. Consider the following examples. We'll start with the "traditional" use of ExternalInterface, and build our way up to an Injected Script complete with Wrapper Function.
Traditionally, ExternalInterface takes a single string to be evaluated as a function name, and any number of optional arguments (primitives or simple objects), as shown below:
ExternalInterface.call("alert", "foo")
This "normal" form of ExternalInterface executes the JavaScript "alert()" function from Flash, and will display "foo" as the alert-text. But you can also write it like this, and it will function the exact same way:
分享到:
相关推荐
js 实现 在JavaScript运行VBScript函数! 值得下载看看!资源免费,大家分享!!
javascript+vbscript帮助文档
很方便的一个携带式样式查找,翻译的css,Dhtml,javascript,vbscript手册,放在U盘里走哪用到哪,相信会很好用的
javascript,VBScript关键字and保留字
基于神经网络的恶意脚本分类-JavaScript&VBScript Neural Classification of Malicious Scripts: A study with JavaScript and VBScript
javascript vbscript 实例 3D
vbscript和javascript互相调用方法
javascript和vbscript脚本集,挺不错的,好好学习啊!
javascript 和 vbscript 中文参考 帮助文件 多个关键字请用空格分隔,最多填写5个。点击右侧Tag快速添加
JavaScript and JSON Essentials is a step-by-step guide that will introduce you to JSON and help you understand how the lightweight JSON data format can be used in different ways either to store data ...
一个小巧的ASP调试工具(不用配置IIS),能设置断点调试,自动提示错误代码。 还带有ASP,javascript,VBscript教程。
structures and algorithms written in JavaScript. This was strange to me because today many of the job opportunities for software development require knowledge of JavaScript; it is the only language ...
Javascript,Vbscript,DHtml全套手册 开发Web必备工具
Exam Ref 70-480 Programming in HTML5 with JavaScript and CSS3
css android java html5 javascript vbscript帮助文档
这是一本一学就会的Windows脚本技术,其中包括JScript和VBScript.简单易学.
Based upon ES6 and ES7, the latest standards, this JavaScript training will help the reader to explore, without any additional tools, the digital universe of the Web in the era of Big Data: a domain ...
Discover what functional programming is, why it's effective, and how it's used in JavaScript Understand and optimize JavaScript's hidden potential as a true functional language Who This Book Is For If...
70-480 Programming in HTML5 with JavaScript and CSS3