Two more points:
1) With a small number of ways to accept input and complete control
over the client implementation, Macromedia can plug this hole on the
client side.
2) But fixing things one the client may not prevent attack if the one
were to bypass the client in some way. The flex proxy/remote objects
makes that a bit more difficult but not impossible. One could
generate a post directly to the web service via a browser or other
tool. This is analogous to performing input validation only in
javascript and not on the server side.
Is this a last point an argument for throwing our hands up in the air
and not doing anything (even if it's not complete)? I don't think so....
IMHO, having the four or five input methods in Flex by default
disallow entry of asfunction and possibly "<" and ">" (or map them to
something like "[" and "]") would be a small step towards safety for
the masses. Perhaps this would be turned off automatically on
"password" input.
So much for beating a dead horse....
Yahoo! Groups Links
<*> To visit your group on the web, go to:
http://groups.yahoo.com/group/flexcoders/
<*> To unsubscribe from this group, send an email to:
[EMAIL PROTECTED]
<*> Your use of Yahoo! Groups is subject to:
http://docs.yahoo.com/info/terms/
