X (Formerly Twitter): XSS platform.twitter.com | video-js metadata

https://platform.twitter.com/video/video-js.1e43b81a2f30220a16fd493aaf072451.swf VideoJS does not escape metadata passed to JavaScript via ExternalInterface. Since VideoJS does not load a required policy file to read metadata from mp3s loaded from an external server via http we need to use rtmp...

X (Formerly Twitter): XSS platform.twitter.com

Since you have fixed a few problems with the FlashTransport on platform.twitter.com already, I though I would also take a look at the JavaScript around it. Problem URL: https://platform.twitter.com/widgets/hub.html Description: The mentioned page opens URLs send to it via postMessage or...