A potential cross-site scripting (XSS) issue has been identified within the Flex SDK express-install templates contained within the Flex 3.3 SDK and earlier versions. This TechNote provides guidance on how to update older versions of the SDK and correct issues within existing web pages based on the older templates.
Apply this fix to your existing Flex 3 SDKs
- Modify the index.template.html file in your Flex 3 project's /html-template/ directory and either replace the existing file with the attached file (if your application is using history management use the /express-installation-with-history/index.template.html file. Otherwise, use the /express-installation/index.template.html file), or edit the existing index.template.html manually and make the following change:
Caution: If you've customized your default index.template.html file (for example: added the allowFullScreen parameter, or added FlashVars or any other HTML changes), overwriting the existing index.template.html file with one of the attached files will undo all those changes. Follow steps 2a-2c in the previous example to manually update the HTML templates without losing your existing modifications.
Note: If you are not using Flex Builder or if you are using a custom HTML template which relies on express installation using AC_OETags.js, you will need to manually modify your HTML wrapper files and follow steps 2a-2c in the previous example.
Note: If you are using Flex Builder, the default installed Flex SDKs can be found at C:\Program Files\Adobe\Flex Builder 3\sdks\.
Note: The express installation index.template.html files will need to be overwritten for EACH Flex 3 SDK. For example, if you have Flex 3.0.0, Flex 3.1.0, Flex 3.2.0, and Flex 3.3.0 installed, you'll need to overwrite the index.template.html files in each of those installed SDKs.
Apply this fix to your deployed Flex applications
If you compiled and deployed your Flex application using the express installation templates, you'll need to manually edit the HTML wrapper files and change one line of code.