13 년 전 · 5a5340c815
--- a/doc/CHANGES.txt
+++ b/doc/CHANGES.txt
@@ -16,6 +16,7 @@
 
				 	all : allowed @:extern on static methods (no generate + no closure + force inlining)
			
 
				 	all : added documentation in --display infos + display overloads in completion
			
 
				 	js : removed --js-namespace, added $hxClasses
			
 
				+	flash : flash.Lib.getURL now disallow javascript urls by default (security)
			
 
				 
			
 
				 2011-09-25: 2.08
			
 
				 	js : added js.JQuery
			
--- a/std/flash/Lib.hx
+++ b/std/flash/Lib.hx
@@ -39,7 +39,9 @@ class Lib {
 
				 		return untyped __eval__(str);
			
 
				 	}
			
 
				 
			
 
				-	public static function getURL( url : String, ?target : String ) {
			
 
				+	public static function getURL( url : String, ?target : String, ?allowScripts ) {
			
 
				+		if( !allowScripts && url.toLowerCase.substr(0,11) == "javascript:" )
			
 
				+			throw "Scripts not allowed in URL";
			
 
				 		untyped __geturl__(url,if( target == null ) "_self" else target);
			
 
				 	}
			
 
				 
			
--- a/std/flash9/Lib.hx
+++ b/std/flash9/Lib.hx
@@ -52,7 +52,9 @@ class Lib {
 
				 		return o;
			
 
				 	}
			
 
				 
			
 
				-	public static function getURL( url : flash.net.URLRequest, ?target : String ) {
			
 
				+	public static function getURL( url : flash.net.URLRequest, ?target : String, ?allowScripts : Bool ) {
			
 
				+		if( !allowScripts && url != null && url.url.toLowerCase.substr(0,11) == "javascript:" )
			
 
				+			throw "Scripts not allowed in URL";
			
 
				 		var f = untyped __global__["flash.net.navigateToURL"];
			
 
				 		if( target == null )
			
 
				 			f(url);