In AS3 Script Injection, complete and unmodified JavaScript and/or VBScript functions, class objects and applications are stored inside AS3 files using XML, and are then parsed, sent to the browser, and executed, allowing Flash and Flex developers to create a robust browser experience without the need to rely on server-side support scripts.

This tutorial will show how to inject and execute complete JavaScripts and VBScripts into a webpage through ActionScript 3's ExternalInterface Class. In addition, we will show how to store and modify complete JavaScript and VBScript scripts directly within AS3 sourcecode, where they may be safely kept until needed. Most of the techniques here may also be applied to AS2 applications with some minor modifications (which will be discussed).

ActionScript-based Script Injection offers the following benefits to developers:

  • Server independence: SWF files may be hosted anywhere, and will simply add their own JavaScript-support files wherever they need them.
  • Script Security: JavaScript and VBScript files are stored within the SWF, and as such are not normally subject to being read and/or modified without the developers consent.
  • Transparency: Properly-written, Injected Scripts exist only during their execution, and then automatically garbage-collect themselves when they are no longer needed. And since they are executed anonymously, there's no danger of accidentally overwriting existing scripts on the webpage – unless you want to.
  • Runtime Script Modification: Scripts may be modified like strings at runtime to address specific needs, unlike server-based scripts which are essentially static.
  • On-Demand Scripting: Scripts are only injected into webpages when needed, conserving system resources.
  • Compression: lengthy JavaScripts may take advantage of SWF compression: e.g. a 32k JavaScript file is only 5k when stored inside a SWF.

This is an ideal solution for Flash/Flex developers who need JavaScript to interact with the user's browser, but might not have full access to the webpage or server that their SWF application is actually hosted on. Flash Ads, YouTube-style video players, and games that may be hosted across multiple (and possibly unforseen) webpages are the first things that come to mind, but other possibilities abound.

Additionally, because the JavaScript files are stored within Flash and not externally, they are given a certain amount of anonymity and protection from being read and/or manipulated by third parties, and may take advantage of SWF compression.

Finally, because the scripts are inherently attached to Flash and exist as editable data within the AS3 file, they can be modified at runtime by the Flash application to create custom-tailored solutions based on specific needs, something that is difficult with generic server- and web-encoded scripting solutions.

Note: ActionScript Script Injection should not be confused with the hacker exploit of the same name, also known as Cross-Site Scripting or XSS. While the underlying concepts are similar, the implementation, intent and (above all) security differ greatly. ActionScript-based Script Injection is internal and available only to the Flash developer, as opposed to Hacker Injection, in which otherwise legitimate URLs are "packed" with executable third-party JavaScript code and launched at public Flash sites.

In the hands of a legitimate developer, AS3 Script Injection is a powerful tool that blurs the boundaries between Flash, webpages, the server, and the browser.