fanbinit/rhymix
1
0
Fork 0
mirror of https://github.com/Lastorder-DC/rhymix.git synced 2026-01-28 23:59:57 +09:00
Code Issues Projects Releases Packages Wiki Activity

#1012 multimedia_link XSS 취약점

Browse source
This commit is contained in:
Solid0 2014-10-20 19:03:22 +09:00 committed by bnu
parent 5f50740d96
commit 4b56f1b777
3 changed files with 7 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

6
common/js/xe.js
View file

@ -415,7 +415,7 @@ function _displayMultimedia(src, width, height, options) {
if(/\.(gif|jpg|jpeg|bmp|png)$/i.test(src)){
html = '<img src="'+src+'" width="'+width+'" height="'+height+'" />';
} else if(/\.flv$/i.test(src) || /\.mov$/i.test(src) || /\.moov$/i.test(src) || /\.m4v$/i.test(src)) {
html = '<embed src="'+request_uri+'common/img/flvplayer.swf" allowfullscreen="true" autostart="'+autostart+'" width="'+width+'" height="'+height+'" flashvars="&file='+src+'&width='+width+'&height='+height+'&autostart='+autostart+'" wmode="'+params.wmode+'" />';
html = '<embed src="'+request_uri+'common/img/flvplayer.swf" allowfullscreen="true" allowscriptaccess="never" autostart="'+autostart+'" width="'+width+'" height="'+height+'" flashvars="&file='+src+'&width='+width+'&height='+height+'&autostart='+autostart+'" wmode="'+params.wmode+'" />';
} else if(/\.swf/i.test(src)) {
clsid = 'clsid:D27CDB6E-AE6D-11cf-96B8-444553540000';
@ -428,14 +428,14 @@ function _displayMultimedia(src, width, height, options) {
html += '<param name="'+name+'" value="'+params[name]+'" />';
}
}
html += '' + '<embed src="'+src+'" autostart="'+autostart+'" width="'+width+'" height="'+height+'" flashvars="'+params.flashvars+'" wmode="'+params.wmode+'"></embed>' + '</object>';
html += '' + '<embed src="'+src+'" allowscriptaccess="never" autostart="'+autostart+'" width="'+width+'" height="'+height+'" flashvars="'+params.flashvars+'" wmode="'+params.wmode+'"></embed>' + '</object>';
} else {
if (jQuery.browser.mozilla || jQuery.browser.opera) {
// firefox and opera uses 0 or 1 for autostart parameter.
autostart = (params.autostart && params.autostart != 'false') ? '1' : '0';
}
html = '<embed src="'+src+'" autostart="'+autostart+'" width="'+width+'" height="'+height+'"';
html = '<embed src="'+src+'" allowscriptaccess="never" autostart="'+autostart+'" width="'+width+'" height="'+height+'"';
if(params.wmode == 'transparent') {
html += ' windowlessvideo="1"';
}