Adobe Flash has a function called ExternalInterface.call(), which takes two parameters: the name of the function to call. The second one is a string to pass to this function. Adobe documentation gives an example that follows this very pattern. The authors remembered to use backslash escaping when outputting the second parameter: hello”world becomes hello”world.text. They overlooked the need to escape any stray backslashes characters, too. I reported this problem to Adobe in March 2010. In March 2011, Adobe said they had not changed the behavior for backwards compatibility reasons.”]
Source: http://lcamtuf.blogspot.com/2011/03/other-reason-to-beware-of.html