Manual:$wgMangleFlashPolicy/de-formal

Details
When this is set to true, any occurrences of  in sanitised output will be altered to. Without this, an attacker can potentially send their own Adobe cross-domain policy unless it is prevented by the crossdomain.xml file at the domain root.

You should only set this to false if you have a crossdomain.xml file in the root of your website (e.g. http://example.com/crossdomain.xml ).