Well filtering out "fscommand:" would be enough to avoid problems within Flex itself. I don't believe there is any way to make text active in flex other than through fscommand?
Typically people rewrite < and > into the html entities (e.g., <), but that won't work for flex. Unlike html, it's harder to guarantee that these entities will be displayed in a way that reverts that back to human readable form. I'm not saying what the best solution to the problem is, but the reality is that the more people using flex, the more likely such a problem will occur in the wild (Flex encourages these types of apps in way that flash itelf is largely agnostic) My hope is that Macromedia does one or two easy things that make this problem go away by default for an application totally built in Flex. And then allow those who cannot make the small compromises the option to turn this protection off at some level and handle it as they see fit. --- In [email protected], Manish Jethani <[EMAIL PROTECTED]> wrote: > On 5/5/05, Eric Raymond <[EMAIL PROTECTED]> wrote: > > > Here's one way to resolve the issue. There are a handful of input > > methods in Flex that allow arbitrary input. It would be a step in the > > right direction if (by default) these text input methods would strip > > out offending strings. Ideally there would be a property on these > > components that would allow them to accept any input ... but by > > default they would be safe. Alternatively there could be an > > application level setting that controlled for this. > > It would be hard to define "offending strings". The way this is > solved in the HTML world is, data is encoded at the output end. For > example, if a 'title' and 'description' is being output in a webpage, > the values for the 'title' and 'description' field are HTML-encoded > before printing. So basically the application treats data like data > (and prevents it from being treated like code) at the output end. > > The other approach, of restricting input to a subset, is used when you > want users to be able to input some code (B, I, P tags in HTML, but > not "malicious" tags like SCRIPT, OBJECT, etc.) but only specific > types of code. Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/flexcoders/ <*> To unsubscribe from this group, send an email to: [EMAIL PROTECTED] <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/
