Re: Sanitizing HTML (was Re: 0.9.9)

If I need to prove (to the best of my ability) that my app is protected against XSS with regards to innerHTML / innerText, how am I supposed to do this? There are three possible protectors (normally): a. The browser. The browsers will not able to do this automatically, even with proposed

Re: Sanitizing HTML (was Re: 0.9.9)

AIUI, the suggestion is to default to sanitizing before writing to innerHTML so that someone who does let someone type in "anything" and shoves it into a Label's htmlText won't have their app used to run various exploits. If a volunteer can propose a design that defaults to sanitizing and can

RE: Differences between bebug and release

As I mentioned in another post, my release version doesn't work either (a few months ago I did a test deployment and it worked, with less code of course). In my case I get this error: App.mxml:40 Uncaught TypeError: a.child is not a function at $$.J.Zwa (App.mxml:40) at B4.J.HA

RE: [Non-DoD Source] Re: Sanitizing HTML (was Re: 0.9.9)

Sorry for my delay, the use cases is based on not allowing unsanitized input from either the user, a request property, or server response. Generally speaking XSS is an injection style exploitation. 2 main types of XSS: 1. Reflected: happens when information from a user or request property is

Re: Apache Royale Add-In for Word - submission has failed validation tests

Yes, the release does not work but it does not show any errors or warnings. Since I needed to advance, I'm using the debug version for now (I can switch to release mode later). I will do several tests this weekend to find out the issues related with IE11. But there is the possibility that it

RE: Apache Royale Add-In for Word - submission has failed validation tests

Hugo, "in debug" it works for me in IE11. And thanks to you I noticed that since a couple of months ago my reléase compilation "doesn't work" ☹. I'm going to look into it. Hiedra -Mensaje original- De: Hugo Ferreira Enviado el: viernes, 10 de diciembre de 2021 14:50 Para: Apache

Re: Apache Royale Add-In for Word - submission has failed validation tests

I'm using the debug version instead of the release version for now. The only way is to test on that specific version that will be very difficult to do or just limite the minimum requirement version of the manifest file (if that filter works). Harbs escreveu no dia sexta, 10/12/2021 à(s) 13:54:

Re: Apache Royale Add-In for Word - submission has failed validation tests

Royale does work in IE11. You should figure out your minification issues > On Dec 10, 2021, at 3:50 PM, Hugo Ferreira wrote: > > Hi, > > Among several reported issues by Microsoft that I will review and address, > there are particular two issues that seem related directly with the Royale >

Re: Apache Royale Add-In publish to Microsoft Office Store

Hi, They already tested the first attempt and posted many things, among them 2 technical issues that I already posted here. Andrew Wetmore escreveu no dia sexta, 10/12/2021 à(s) 13:44: > This is very good news > > On Fri, Dec 10, 2021 at 8:47 AM Hugo Ferreira > wrote: > > > Piotr, > > > > Of

Apache Royale Add-In for Word - submission has failed validation tests

Hi, Among several reported issues by Microsoft that I will review and address, there are particular two issues that seem related directly with the Royale framework requirements and not directly with my App and worry me about. Seems that they test on several Word versions and failed on two

Re: Apache Royale Add-In publish to Microsoft Office Store

This is very good news On Fri, Dec 10, 2021 at 8:47 AM Hugo Ferreira wrote: > Piotr, > > Of course I will. > I'm now waiting for the approval process like if it was a normal App > Mobile. > It's the first time and with a Royale App so I don't know what will happen. > Let's find out on the next

Re: Differences between bebug and release

You can try setting -js-dynamic-access-unknown-members=true although normally it shouldn’t be necessary with the current defaults. https://apache.github.io/royale-docs/compiler/compiler-options.html#js-dynamic-access-unknown-members > On Dec 10, 2021, at 2:43 PM, Hugo Ferreira wrote: > > I

Re: Apache Royale Add-In publish to Microsoft Office Store

Piotr, Of course I will. I'm now waiting for the approval process like if it was a normal App Mobile. It's the first time and with a Royale App so I don't know what will happen. Let's find out on the next few days. Piotr Zarzycki escreveu no dia sexta, 10/12/2021 à(s) 11:22: > Hugo, > > Please

Re: Apache Royale Add-In publish to Microsoft Office Store

Thanks. It was not related directly with Royale but with the process. To officially put an Add-In on Microsoft Office Store with a complex process like publishing an iOS App. The good thing is that the App is hosted on my server and after the process is approved, I will probably only have to

Re: Differences between bebug and release

I only see an error in console that does not seems related: telemetryproxy.html:1 Failed to load resource: the server responded with a status of 404 () What's the option to build in release without minify to check if that is really the case? Harbs escreveu no dia sexta, 10/12/2021 à(s) 09:08:

Re: Apache Royale Add-In publish to Microsoft Office Store

Hugo, Please post link to it! :) Congrats! pt., 10 gru 2021 o 06:39 Yishay Weiss napisał(a): > Congrats! Were any of the failures Royale related? > > From: Hugo Ferreira > Sent: Friday, December 10, 2021 4:22 AM > To: Apache Royale

Re: Sanitizing HTML (was Re: 0.9.9)

Sanitizing what? And why? What is the use case which is “dangerous”? > On Dec 10, 2021, at 11:49 AM, Edward Stangler wrote: > > > My mistake. > > Definitely should be sanitizing. If you want PAYG, then make it default > (some global function) and something that can be overridden by those

Re: Sanitizing HTML (was Re: 0.9.9)

My mistake. Definitely should be sanitizing. If you want PAYG, then make it default (some global function) and something that can be overridden by those who want to live dangerously. On 12/10/2021 3:07 AM, Harbs wrote: >> It looks to me that most uses of innerHTML in Royale are assigning text

Re: Differences between bebug and release

I meant in your browser. Is there an error in the browser console? > On Dec 10, 2021, at 3:17 AM, Hugo Ferreira wrote: > > Hi, > > This is the full log from my dev tool (Visual Studio Code): > >> Executing task: /usr/bin/java -jar >

Sanitizing HTML (was Re: 0.9.9)

> It looks to me that most uses of innerHTML in Royale are assigning text > to various labels (like Button). I’m not sure which case you’re referring to. Ignoring examples, ASDoc and RoyaleSite, here is every use of innerHTML in the framework with comments: HTMLText -- A component created