Swizec Teller - a geek with a hatswizec.com

    Adobe AIR's javascript no eval or include is moronic

    • Adobe AIR

      Image via Wikipedia

    Some days ago when I was developing a plugin interface for Twitulater I came upon an interesting and seemingly unsolvable problem in the way Adobe AIR brainlessly tries to make everything more secure - eval function simply doesn't work. Even if you use it, nothing happens.

    Alright so there is no eval for evaluating dynamically created javascript. No problem, I'll just use some sort of include function Adobe has surely implemented since AIR is supposed to be this awesome development platform and we all know the ability to include files is somewhat paramount to serious development.

    But what's this? Even in AIR 1.5 there STILL isn't an include? What the fuck! Ok, sure, I do realise that they provide an include with Flex, but to be honest Flex isn't exactly something I want to use because the way variable types are postfixed to the variable name fucks with my brain and makes me feel dyslexic. Seriously Adobe, what WERE you thinking there?

    Anyhow, back to lack of eval. Adobe claims that eval is an evil funciton people use to evaluate unverified code from third party API's and thus make their applications superbly vulnerable to an injection attack. Naturally this is a very valid reservation, but I think the solution is severely flawed since it introduces more problems than it's worth.

    Basically everything they've done is force bad developers to use a JSON interpreter of some sort for their third-party stuff. Which makes sense, it's a little bit slower than eval, but at least no code gets executed since functions and objects produce errors. Great, no executable third-party code. But did this really solve anything? Oh no wait, bad developers will still open their application up to many security flaws and everyone else is more than slightly inconvenienced.

    I could understand if Adobe at least put a JSON compiler or some sort of dumbed down eval into their javascript API, but no, they just leave us out to dry. And, surprisingly, none of the jQuery include plugins out there actually work, neither does javascript MVC's include function. At least I haven't been able to make them work.

    But there is in fact a way to include all files from a certain dir, it's a very fucking ugly hack and using it made my programming heart convulse in pain. See for yourself:

    PluginLoader.prototype.loadPlugin = function (pluginDir) {
    if (this.shouldLoadPlugin(pluginDir)) {
    var files = pluginDir.getDirectoryListing();
    for (var i in files) {
    var file = files[i];
    if (file.extension == "js") {
    PluginLoader.prototype.shouldLoadPlugin = function (dir) {
    return dir.isDirectory && dir.name[0] != ".";
    PluginLoader.prototype.loadFile = function (file) {
    var stream = new air.FileStream();
    stream.open(file, air.FileMode.Read);
    var script = stream.readUTFBytes(stream.bytesAvailable);
    PluginLoader.prototype.addLoadedPlugin = function (pluginName) {

    As you can see it relies on injecting HTML javascript inclusion into the head after itself and thus ensuring AIR evaluates it. If you try injecting in any sort of nicer way like with appendChild or whatnot, it doesn't work. And the catch is this code has to be run before the document is loaded beyond the head and I think it actually makes AIR spout an error of some sort. But it works.

    Reblog this post [with Zemanta]

    Did you enjoy this article?

    Published on March 25th, 2009 in Adobe AIR, JavaScript, Programming, Uncategorized

    Learned something new?
    Want to become an expert?

    Here's how it works 👇

    Leave your email and I'll send you thoughtfully written emails every week about React, JavaScript, and your career. Lessons learned over 20 years in the industry working with companies ranging from tiny startups to Fortune5 behemoths.

    Join Swizec's Newsletter

    And get thoughtful letters 💌 on mindsets, tactics, and technical skills for your career. Real lessons from building production software. No bullshit.

    "Man, love your simple writing! Yours is the only newsletter I open and only blog that I give a fuck to read & scroll till the end. And wow always take away lessons with me. Inspiring! And very relatable. 👌"

    ~ Ashish Kumar

    Join over 14,000 engineers just like you already improving their careers with my letters, workshops, courses, and talks. ✌️

    Have a burning question that you think I can answer? I don't have all of the answers, but I have some! Hit me up on twitter or book a 30min ama for in-depth help.

    Ready to Stop copy pasting D3 examples and create data visualizations of your own?  Learn how to build scalable dataviz components your whole team can understand with React for Data Visualization

    Curious about Serverless and the modern backend? Check out Serverless Handbook, modern backend for the frontend engineer.

    Ready to learn how it all fits together and build a modern webapp from scratch? Learn how to launch a webapp and make your first 💰 on the side with ServerlessReact.Dev

    Want to brush up on your modern JavaScript syntax? Check out my interactive cheatsheet: es6cheatsheet.com

    By the way, just in case no one has told you it yet today: I love and appreciate you for who you are ❤️

    Created bySwizecwith ❤️