web: Update eval documentation

Lord-McSweeney · Jun 7, 2024 · b81e5e6 · b81e5e6
1 parent f9f7ece
commit b81e5e6
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/web/packages/core/src/ruffle-imports.ts b/web/packages/core/src/ruffle-imports.ts
@@ -70,6 +70,9 @@ export function copyToAudioBufferInterleaved(
 export function callExternalInterface(name: string, args: any[]): any {
     // [NA] Yes, this is direct eval. Yes, this is a Bad Thing when it comes to security.
     // In fact, yes this is vulnerable to an XSS attack!
-    // But plot twist: Flash allowed for this and many content *relies on it*. :(
+    // But plot twist: Flash allowed for this and many games *relies on it*. :(
+    // Flash content can do `call("eval", "....")` regardless, this doesn't enable anything that wasn't already permitted.
+    // It just goes against what the documentation says, and *looks* really suspicious.
+    // Content can only run this if the website has enabled `allowScriptAccess`, so it has to be enabled by the website too.
     return eval(`(${name})(...args)`);
 }