svn commit: r885940 - /incubator/shindig/trunk/features/src/main/javascript/features/flash/flash.js

Tue, 01 Dec 2009 13:34:53 -0800 

Author: johnh
Date: Tue Dec  1 21:34:28 2009
New Revision: 885940

URL: http://svn.apache.org/viewvc?rev=885940&view=rev
Log:
Fix for flash embedding in IE. appendChild doesn't work for some odd reason, so 
innerHTML is required.


Modified:
    incubator/shindig/trunk/features/src/main/javascript/features/flash/flash.js

Modified: 
incubator/shindig/trunk/features/src/main/javascript/features/flash/flash.js
URL: 
http://svn.apache.org/viewvc/incubator/shindig/trunk/features/src/main/javascript/features/flash/flash.js?rev=885940&r1=885939&r2=885940&view=diff
==============================================================================
--- 
incubator/shindig/trunk/features/src/main/javascript/features/flash/flash.js 
(original)
+++ 
incubator/shindig/trunk/features/src/main/javascript/features/flash/flash.js 
Tue Dec  1 21:34:28 2009
@@ -150,8 +150,20 @@
             flashObj.setAttribute(prop, opt_params[prop]);
           }
         }
+        // Inject flash object
+        swfContainer.innerHTML = '';
+        swfContainer.appendChild(flashObj);
+        return true;
       } else {
         // Use <object> tag for IE
+        // For some odd reason IE demands that innerHTML be used to set <param>
+        // values; they're otherwise ignored. As such, we need to be careful
+        // what values we accept in opt_params to avoid it being possible to
+        // use this HTML generation for nefarious purposes.
+        var propIsHtmlSafe = function(val) {
+          return !/["<>]/.test(val);
+        }
+       
         opt_params.movie = swfUrl;
         var attr = {
           width: opt_params.width,
@@ -162,28 +174,30 @@
           attr.id = opt_params.id;
         }
 
-        flashObj = document.createElement('object');
-        flashObj.setAttribute('data', swfUrl);
+        var html = '<object';
         for (var attrProp in attr) {
-          if (!/___$/.test(attrProp)) {
-            flashObj.setAttribute(attrProp, attr[attrProp]);
+          if (!/___$/.test(attrProp) &&
+              propIsHtmlSafe(attrProp) &&
+              propIsHtmlSafe(attr[attrProp])) {
+            html += ' ' + attrProp + '="' + attr[attrProp] + '"';
           }
         }
+        html += '>';
+
         for (var paramsProp in opt_params) {
           var param = document.createElement('param');
           if (!/^swf_/.test(paramsProp) && 
               !attr[paramsProp] && 
-              !/___$/.test(paramsProp)) {
-            param.setAttribute('name', paramsProp);
-            param.setAttribute('value', opt_params[paramsProp]);
-            flashObj.appendChild(param);
+              !/___$/.test(paramsProp) &&
+              propIsHtmlSafe(paramsProp) &&
+              propIsHtmlSafe(opt_params[paramsProp])) {
+            html += '<param name="' + paramsProp + '" value="'
+                 + opt_params[paramsProp] + '" />';
           }
         }
+        html += '</object>';
       }
-      // Inject flash object
-      swfContainer.innerHTML = '';
-      swfContainer.appendChild(flashObj);
-      return true;
+      swfContainer.innerHTML = html;
     }
   }
   return false;

Reply via email to