Oleg - I was able to have the text execute inline javascript and I think I
could devise an extremely clever XSS attack. Injection would be extremely
hard. Anyway, here is my solution:
1) Flex automatically removed all intrinsic elements from the HTML:
<mx:String id="inputString">
<![CDATA[
<a href="#" onclick="alert('hi');">Onclick alert</a><br/>
<script>alert("Your text in the alert function.");</script>
]]>
</mx:String>
<mx:Text id="inputText" height="100%" width="100%"
htmlText="{inputString}">
The value of inputText.htmlText is the following (notice there is no "onclick"
event as Flex automatically cleans out intrinsic events:
<TEXTFORMAT LEADING="2"><P ALIGN="LEFT"><FONT FACE="Verdana" SIZE="10"
COLOR="#0B333C" LETTERSPACING="0"
KERNING="0"></FONT></P></TEXTFORMAT><TEXTFORMAT LEADING="2"><P
ALIGN="LEFT"><FONT FACE="Verdana" SIZE="10" COLOR="#0B333C" LETTERSPACING="0"
KERNING="0"> <A HREF="#" TARGET="">Onclick
alert</A></FONT></P></TEXTFORMAT><TEXTFORMAT LEADING="2"><P ALIGN="LEFT"><FONT
FACE="Verdana" SIZE="10" COLOR="#0B333C" LETTERSPACING="0"
KERNING="0"></FONT></P></TEXTFORMAT><TEXTFORMAT LEADING="2"><P
ALIGN="LEFT"><FONT FACE="Verdana" SIZE="10" COLOR="#0B333C" LETTERSPACING="0"
KERNING="0"> alert("Your text in the alert
function.");</FONT></P></TEXTFORMAT><TEXTFORMAT LEADING="2"><P
ALIGN="LEFT"><FONT FACE="Verdana" SIZE="10" COLOR="#0B333C" LETTERSPACING="0"
KERNING="0"> </FONT></P></TEXTFORMAT>
2) So all I need to do is remove the "bad" links which is done like so:
public function makeSafeContent(content:String):String {
var safeContentStr:String = content;
var myPattern:RegExp = /javascript/gi;
safeContentStr = safeContentStr.replace(myPattern,"<span>javascript</span>");
myPattern = /asfunction/gi;
safeContentStr = safeContentStr.replace(myPattern,"<span>asfunction</span>");
myPattern = /event/gi;
safeContentStr = safeContentStr.replace(myPattern,"<span>event</span>");
myPattern = /vbscript/gi;
safeContentStr = safeContentStr.replace(myPattern,"<span>vbscript</span>");
return(safeContentStr);
}
--
Jordan | Yodlee Product Management
Launch your Flex-based financial app in the Yodlee FinApp Store -
http://www.finappstore.com
--- In [email protected], Oleg Sivokon <olegsivo...@...> wrote:
>
> Hm... this is a good point... however, I think that you can secure yourself
> by parsing <a/> tags in that text and see if they don't dispatch any events
> that your SWF may be listening to. But, the worst thing that can happen is
> that the anchor in the text will call some handler inside your application
> (that is execute your own code, not the foreign code), which shouldn't be
> really dangerous, but, that's for you to tell :)
>
