From b81e5e62178793bb859092edd67936b862be3f12 Mon Sep 17 00:00:00 2001
From: Nathan Adams <dinnerbone@dinnerbone.com>
Date: Fri, 7 Jun 2024 10:36:35 +0200
Subject: [PATCH] web: Update eval documentation

---
 web/packages/core/src/ruffle-imports.ts | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/web/packages/core/src/ruffle-imports.ts b/web/packages/core/src/ruffle-imports.ts
index b3a8cf40ed000..821e3c33ceee0 100644
--- a/web/packages/core/src/ruffle-imports.ts
+++ b/web/packages/core/src/ruffle-imports.ts
@@ -70,6 +70,9 @@ export function copyToAudioBufferInterleaved(
 export function callExternalInterface(name: string, args: any[]): any {
     // [NA] Yes, this is direct eval. Yes, this is a Bad Thing when it comes to security.
     // In fact, yes this is vulnerable to an XSS attack!
-    // But plot twist: Flash allowed for this and many content *relies on it*. :(
+    // But plot twist: Flash allowed for this and many games *relies on it*. :(
+    // Flash content can do `call("eval", "....")` regardless, this doesn't enable anything that wasn't already permitted.
+    // It just goes against what the documentation says, and *looks* really suspicious.
+    // Content can only run this if the website has enabled `allowScriptAccess`, so it has to be enabled by the website too.
     return eval(`(${name})(...args)`);
 }