mailto:greg.d...@gmail.com> > wrote:
Hi Mark,
I appreciate you sharing your more recent experience - it sounds like
SonarQube remains the most viable option for now...
Thanks,
Greg
On Thu, May 19, 2022 at 5:20 AM Kessler CTR Mark J
Greg,
We actually still use SonarQube for AS file scanning as AS3 does not have a
lot of actively developed utilities in this area. You do have to customize
their rules list to be more appropriate, but it does give you a 70% solution.
You are correct about it not working on any code
Sorry for my delay, the use cases is based on not allowing unsanitized input
from either the user, a request property, or server response. Generally
speaking XSS is an injection style exploitation.
2 main types of XSS:
1. Reflected: happens when information from a user or request property is
Considering we’re already using the goog libs for other things, it should be
fairly straight-forward to wrap the functionality in Royale classes. Feel free
to work on that… ;-)
I do think that the sanitizing should be opt-in.
Harbs
> On Dec 9, 2021, at 5:03 PM, Kessler CTR Mark J
> wrote:
>
-DoD Source] Re: 0.9.9
Not following. What concerns do you have with TextArea values? IFIK, there’s no
possibility of XSS attacks there.
Can you give me specific concerns you have?
> On Dec 9, 2021, at 5:03 PM, Kessler CTR Mark J
> wrote:
>
>I am on the opposite spectrum of
I am on the opposite spectrum of this opinion. We had to write our own
library on-top of the basic Royale for our applications that was more security
minded. All of our defaults are for innerText as it will not interpret the
contents or use new variants that already have security built it
Hugo,
If you are using the @externs in the class comments, use a native on
function and it will ignore its requirement to actually have a body. It can
remain just a declaration. The other thing that caused us problems in the
beginning is we needed a change to the release compilation
As an example, here is how to access the version number in other languages.
Some easier to use than others. Looks like the easiest ones are just static
const strings.
Flex[1]: mx.core.FlexVersion.CURRENT_VERSION
Dotnet[2]: System.Environment.Version
Lol, I can't seem to explain it properly. Take maven/ant/config files out of
the equation it doesn't matter for this example. This has to do with getting
some identifying information into the official SDK releases. We don't want to
pass variables as an SDK user. We want the official SDK to
Let me clarify.
@Carlos,
It's not a dependency issue, it's a matter of finding out what the SDK
version or build number of the SDK or any form of uniquely identifying
information about the SDK in code. So the apps we build using Flex we can just
get the Flex version by referencing
Royale version
to 1.0)
On 4/26/19, 4:29 AM, "Kessler CTR Mark J"
wrote:
> So far, we have not had the release scripts properly generate the right
version number for the NPM artifacts.
This spurred a question for me. Is there a way to find out what version
number the
Well imagine a new user blindly walking into the site.They go to the
root of the site [1] and see that nice orange "getting started" button.
Clicking on that takes you to the getting started page [2]. It has a link to
the download page and it has IDE links which is good. It would be
To give a perspective on the references and examples part from our
organization...
When we started trying to convert one of our small apps we choose the
Jewel set of components. This was because it had lots of visible content and
examples [1] whereas the standard examples were more
I validated that it worked with Flex and Royale compilation. Overall it
was an easy replacement.
-Downloaded the OpenJDK from [1] and unzipped it into a folder.
-Updated the JAVA_HOME environmental var.
-The system path for the %JAVA_HOME%\bin folder stayed the same since it was
already
January will require a license annually. So I
was wondering if we move to the OpenJDK officially for the SDK instead of only
requiring the paid licensing app?
-Mark K
-Original Message-
From: Kessler CTR Mark J
Sent: Thursday, April 18, 2019 8:23 AM
To: dev@royale.apache.org
Subject: Java
Our organization is in the process of figuring out how many licenses are
needed for our clients and servers. This conversation however spilled over to
our development environments as well. How is oracles new licensing [1][2] for
Oracle Java SE / Oracle JDK going to affect us here for how
For the apps we create we use both cases.
1. Make something invisible, but not remove it's layout space. This matches
Carlos's example, by allowed a static sized interface even when parts are not
visible.
2. Make something invisible and remove it's layout space. Standard items,
such
My guess is the bottom line would be, no matter what is chosen, do we allow
them an easy way to get at the html properties directly. That would make a big
difference to have to use a longer path to access for a less used property or
have like 2 of every component.
-Mark K
The "text" property is probably just for compatibility with the flex
components if we are talking about things like "TextInput". Is the "text"
property just syntax sugar / wrapping for the html property?
-Mark K
-Original Message-
From: Carlos Rovira
> How can I test this ? Is a way to replace this class and rebuild the sdk ,
> or I wait for tomorrow NB release ?
At the bottom of the download page [1] there are links under the Nightly
Builds section. This has the build packages that are close to what the
officially released SDK has. The
>That said, based on the code snippets provided, I'm not sure why
>"initComplete" fired before addElement, which is what I think you are trying
>to point out. I would expect it to be called in addElement, so further
>investigation is needed there. Put a breakpoint in your "initComplete"
smime.p7m
Description: S/MIME encrypted message
apache.org
Subject: [Non-DoD Source] Re: CreationComplete event question
Hi Mark,
going by parts:
El lun., 25 mar. 2019 a las 18:07, Kessler CTR Mark J
() escribió:
> Using Royal SDK 0.9.4 binaries with a Jewel Card / Basic Group
my recommendation is not use such older version. Many
Using Royal SDK 0.9.4 binaries with a Jewel Card / Basic Group and ran into
an issue where the "this" reference is not ready / comparable while in an
"initComplete" event handler. However after its full creation cycle it is
available and can be compared. I tested with a button calling the
Alex,
I'll see if I can squeeze in sometime this week to make a basic one to
contribute. I'm talking just the basic methods addPopUp, bringToFront,
centerPopUp, createPopUp, removePopUp, and a few helper methods. That's the
smallest amount of stuff to give the exact same methods as the
Alex,
> 1) It is hard to follow these threads without more context. I think Royale
> is going to require that folks make it clear which components they are using.
> Flex always had a primary set (MX then later, Spark) so we could make
> assumptions about what components you are referencing.
ject: Re: [Non-DoD Source] Re: PopUpManager question
Hi Mark,
El mié., 20 mar. 2019 a las 17:52, Kessler CTR Mark J
() escribió:
> Carlos,
> I did look into that. But it was too simplified for us as an
> enterprise solution. We needed the holistic approach to all popup types;
> it's
component. You can see it working in Tour De Jewel
here:
http://royale.apache.org/tourdejewel/
(is one of the latest options in the drawer menu on the left)
Carlos
El mié., 20 mar. 2019 a las 15:50, Kessler CTR Mark J
() escribió:
> Never mind, Figured it out. I'll switch over to us
Never mind, Figured it out. I'll switch over to using this style.
container.element.style.zIndex;
-Mark K
-Original Message-
From: Kessler CTR Mark J
Sent: Wednesday, March 20, 2019 7:57 AM
To: dev@royale.apache.org
Subject: PopUpManager question
I finally got a chance to get back
I finally got a chance to get back to testing out a conversion of one of small
apps. I only have this week to work on it. We couldn't find a working
PopUpManager, so we created one. It works pretty good however we tried to
update the z-index on the popup directly using a style, but something
rg
Subject: [Non-DoD Source] Re: Things that we still doesn't have and need in
UIBase sizing
Hi Mark,
thanks for joining to the discussion:
El jue., 10 ene. 2019 a las 20:31, Kessler CTR Mark J
() escribió:
>
> Back on topic, I was able to avoid using max size declarations by adding
>
ave and need in UIBase sizing)
Hi Mark,
renaming this since I thing is very different topic.
I must say that I don't understand completely what you are trying to share,
But I'm completely open to make changes from px to em or viceversa if we
get a better result.
So first:
El jue., 10 ene. 2019 a
*/
public function Alert()
{
super();
typeNames = "jewel alert";
}
Alert component uses a polyfill of Dialog and that needs both the js and
the css of that pollyfill that we retrieve from cloud flare.
The inject_html makes that two lines be ad
The 0.9.4 release has a Alert.as [1] file on the ASDOC comment for the
constructor has a cloudflare referenced CSS. Is a third party direct reference
supposed to be in there?
[1] projects/Jewel/src/main/royale/jewel/Alert.as
-Mark K
I have a side question on this topic of size and size properties. I'm just
finishing up a 10 day test conversion of a small application interface and was
surprised to see us use PX a lot in the layout when it's on the JS side of
things. I was specifically using the jewel set to test
I'm all for strongly typed / static typed everything when available for
compile and run times. However here is some side information on the ECMA
(2015) typed arrays[1] and the ongoing discussion / notes for the full static
type implementation [2] that was proposed by Sirisian's (pretty
36 matches
Mail list logo