TechNote

Description

A potential cross-site scripting (XSS) issue has been identified within the Flex SDK express-install templates contained within the Flex 3.3 SDK and earlier versions. This Tech Note provides guidance on how to update older versions of the SDK and correct issues within existing web pages based on the older templates.

Patched express-installation-with-history/index.template.html file

To apply this fix to your existing Flex 3 SDKs:

1. Overwrite the existing index.template.html files in the following two SDK folders with the attached index.template.html files:
   • %Flex SDK%\templates\express-installation\index.template.html
   • %Flex SDK%\templates\express-installation-with-history\index.template.html
2. Modify the index.template.html file in your Flex 3 project's /html-template/ directory and either replace the existing file with the attached file (if your application is using history management use the /express-installation-with-history/index.template.html file, otherwise use the /express-installation/index.template.html file), or edit the existing index.template.html manually and make the following change:
   1. Search for the following string: var MMredirectURL = window.location;
   2. Replace the string with the following text: var MMredirectURL = encodeURI(window.location);
   3. Save the index.template.html file.

CAUTION: If you’ve customized your default index.template.html file (for example: added the allowFullScreen parameter, or added FlashVars or any other HTML changes), overwriting the existing index.template.html file with one of the attached files will undo all those changes. Follow steps 2a-2c in the previous example to manually update the HTML templates without losing your existing modifications.

NOTE: If you are not using Flex Builder or if you are using a custom HTML template which relies on express installation using AC_OETags.js, you will need to manually modify your HTML wrapper files and follow steps 2a-2c in the previous example.

NOTE: If you are using Flex Builder, the default installed Flex SDKs can be found at C:\Program Files\Adobe\Flex Builder 3\sdks\.

NOTE: The express installation index.template.html files will need to be overwritten for EACH Flex 3 SDK. For example, if you have Flex 3.0.0, Flex 3.1.0, Flex 3.2.0, and Flex 3.3.0 installed, you'll need to overwrite the index.template.html files in each of those installed SDKs.

To apply this fix to your deployed Flex applications:

If you compiled and deployed your Flex application using the express installation templates, you'll need to manually edit the HTML wrapper file(s) and change one line of code.

1. Open the generated HTML template and search for the following string: var MMredirectURL = window.location;
2. Replace the string with the following text: var MMredirectURL = encodeURI(window.location);
3. Save the HTML template and overwrite the existing HTML file on the server.

NOTE: This fix does not apply to Flex 4 projects, as they use the SWFObject templates by default.