-
Image via Wikipedia
Some days ago when I was developing a plugin interface for Twitulater I came upon an interesting and seemingly unsolvable problem in the way Adobe AIR brainlessly tries to make everything more secure - eval function simply doesn't work. Even if you use it, nothing happens.
Alright so there is no eval for evaluating dynamically created javascript. No problem, I'll just use some sort of include function Adobe has surely implemented since AIR is supposed to be this awesome development platform and we all know the ability to include files is somewhat paramount to serious development.
But what's this? Even in AIR 1.5 there STILL isn't an include? What the fuck! Ok, sure, I do realise that they provide an include with Flex, but to be honest Flex isn't exactly something I want to use because the way variable types are postfixed to the variable name fucks with my brain and makes me feel dyslexic. Seriously Adobe, what WERE you thinking there?
Anyhow, back to lack of eval. Adobe claims that eval is an evil funciton people use to evaluate unverified code from third party API's and thus make their applications superbly vulnerable to an injection attack. Naturally this is a very valid reservation, but I think the solution is severely flawed since it introduces more problems than it's worth.
Basically everything they've done is force bad developers to use a JSON interpreter of some sort for their third-party stuff. Which makes sense, it's a little bit slower than eval, but at least no code gets executed since functions and objects produce errors. Great, no executable third-party code. But did this really solve anything? Oh no wait, bad developers will still open their application up to many security flaws and everyone else is more than slightly inconvenienced.
I could understand if Adobe at least put a JSON compiler or some sort of dumbed down eval into their javascript API, but no, they just leave us out to dry. And, surprisingly, none of the jQuery include plugins out there actually work, neither does javascript MVC's include function. At least I haven't been able to make them work.
But there is in fact a way to include all files from a certain dir, it's a very fucking ugly hack and using it made my programming heart convulse in pain. See for yourself:
PluginLoader.prototype.loadPlugin = function (pluginDir) {
if (this.shouldLoadPlugin(pluginDir)) {
var files = pluginDir.getDirectoryListing();
for (var i in files) {
var file = files[i];
if (file.extension == "js") {
this.loadFile(file);
}
}
this.addLoadedPlugin(pluginDir.name);
}
};
PluginLoader.prototype.shouldLoadPlugin = function (dir) {
return dir.isDirectory && dir.name[0] != ".";
};
PluginLoader.prototype.loadFile = function (file) {
var stream = new air.FileStream();
stream.open(file, air.FileMode.Read);
var script = stream.readUTFBytes(stream.bytesAvailable);
stream.close();
document.write("");
};
PluginLoader.prototype.addLoadedPlugin = function (pluginName) {
document.write("");
};
As you can see it relies on injecting HTML javascript inclusion into the head after itself and thus ensuring AIR evaluates it. If you try injecting in any sort of nicer way like with appendChild or whatnot, it doesn't work. And the catch is this code has to be run before the document is loaded beyond the head and I think it actually makes AIR spout an error of some sort. But it works.
![Reblog this post [with Zemanta]](https://img.zemanta.com/reblog_e.png?x-id=e663b415-5f5f-4f6c-ab8f-5d2dbab27a68)
Continue reading about Adobe AIR's javascript no eval or include is moronic
Semantically similar articles hand-picked by GPT-4
- Five reasons a developer should avoid Adobe AIR
- Five reasons you should develop in Adobe AIR
- Arcane JavaScript knowledge still useful
- React components as jQuery plugins
- jQuery imageless buttons a la Google get an update
Learned something new?
Read more Software Engineering Lessons from Production
I write articles with real insight into the career and skills of a modern software engineer. "Raw and honest from the heart!" as one reader described them. Fueled by lessons learned over 20 years of building production code for side-projects, small businesses, and hyper growth startups. Both successful and not.
Subscribe below 👇
Software Engineering Lessons from Production
Join Swizec's Newsletter and get insightful emails 💌 on mindsets, tactics, and technical skills for your career. Real lessons from building production software. No bullshit.
"Man, love your simple writing! Yours is the only newsletter I open and only blog that I give a fuck to read & scroll till the end. And wow always take away lessons with me. Inspiring! And very relatable. 👌"
Have a burning question that you think I can answer? Hit me up on twitter and I'll do my best.
Who am I and who do I help? I'm Swizec Teller and I turn coders into engineers with "Raw and honest from the heart!" writing. No bullshit. Real insights into the career and skills of a modern software engineer.
Want to become a true senior engineer? Take ownership, have autonomy, and be a force multiplier on your team. The Senior Engineer Mindset ebook can help 👉 swizec.com/senior-mindset. These are the shifts in mindset that unlocked my career.
Curious about Serverless and the modern backend? Check out Serverless Handbook, for frontend engineers 👉 ServerlessHandbook.dev
Want to Stop copy pasting D3 examples and create data visualizations of your own? Learn how to build scalable dataviz React components your whole team can understand with React for Data Visualization
Want to get my best emails on JavaScript, React, Serverless, Fullstack Web, or Indie Hacking? Check out swizec.com/collections
Did someone amazing share this letter with you? Wonderful! You can sign up for my weekly letters for software engineers on their path to greatness, here: swizec.com/blog
Want to brush up on your modern JavaScript syntax? Check out my interactive cheatsheet: es6cheatsheet.com
By the way, just in case no one has told you it yet today: I love and appreciate you for who you are ❤️