Swizec Teller - a geek with a hatswizec.com

Senior Mindset Book

Get promoted, earn a bigger salary, work for top companies

Senior Engineer Mindset cover
Learn more

    Adobe AIR's javascript no eval or include is moronic

    Some days ago when I was developing a plugin interface for Twitulater I came upon an interesting and seemingly unsolvable problem in the way Adobe AIR brainlessly tries to make everything more secure - eval function simply doesn't work. Even if you use it, nothing happens.

    Alright so there is no eval for evaluating dynamically created javascript. No problem, I'll just use some sort of include function Adobe has surely implemented since AIR is supposed to be this awesome development platform and we all know the ability to include files is somewhat paramount to serious development.

    But what's this? Even in AIR 1.5 there STILL isn't an include? What the fuck! Ok, sure, I do realise that they provide an include with Flex, but to be honest Flex isn't exactly something I want to use because the way variable types are postfixed to the variable name fucks with my brain and makes me feel dyslexic. Seriously Adobe, what WERE you thinking there?

    Anyhow, back to lack of eval. Adobe claims that eval is an evil funciton people use to evaluate unverified code from third party API's and thus make their applications superbly vulnerable to an injection attack. Naturally this is a very valid reservation, but I think the solution is severely flawed since it introduces more problems than it's worth.

    Basically everything they've done is force bad developers to use a JSON interpreter of some sort for their third-party stuff. Which makes sense, it's a little bit slower than eval, but at least no code gets executed since functions and objects produce errors. Great, no executable third-party code. But did this really solve anything? Oh no wait, bad developers will still open their application up to many security flaws and everyone else is more than slightly inconvenienced.

    I could understand if Adobe at least put a JSON compiler or some sort of dumbed down eval into their javascript API, but no, they just leave us out to dry. And, surprisingly, none of the jQuery include plugins out there actually work, neither does javascript MVC's include function. At least I haven't been able to make them work.

    But there is in fact a way to include all files from a certain dir, it's a very fucking ugly hack and using it made my programming heart convulse in pain. See for yourself:

    PluginLoader.prototype.loadPlugin = function (pluginDir) {
      if (this.shouldLoadPlugin(pluginDir)) {
        var files = pluginDir.getDirectoryListing();
        for (var i in files) {
          var file = files[i];
          if (file.extension == "js") {
    PluginLoader.prototype.shouldLoadPlugin = function (dir) {
      return dir.isDirectory && dir.name[0] != ".";
    PluginLoader.prototype.loadFile = function (file) {
      var stream = new air.FileStream();
      stream.open(file, air.FileMode.Read);
      var script = stream.readUTFBytes(stream.bytesAvailable);
    PluginLoader.prototype.addLoadedPlugin = function (pluginName) {

    As you can see it relies on injecting HTML javascript inclusion into the head after itself and thus ensuring AIR evaluates it. If you try injecting in any sort of nicer way like with appendChild or whatnot, it doesn't work. And the catch is this code has to be run before the document is loaded beyond the head and I think it actually makes AIR spout an error of some sort. But it works.

    Reblog this post [with Zemanta]
    Published on March 25th, 2009 in Adobe AIR, JavaScript, Programming, Uncategorized

    Did you enjoy this article?

    Continue reading about Adobe AIR's javascript no eval or include is moronic

    Semantically similar articles hand-picked by GPT-4

    Senior Mindset Book

    Get promoted, earn a bigger salary, work for top companies

    Learn more

    Have a burning question that you think I can answer? Hit me up on twitter and I'll do my best.

    Who am I and who do I help? I'm Swizec Teller and I turn coders into engineers with "Raw and honest from the heart!" writing. No bullshit. Real insights into the career and skills of a modern software engineer.

    Want to become a true senior engineer? Take ownership, have autonomy, and be a force multiplier on your team. The Senior Engineer Mindset ebook can help 👉 swizec.com/senior-mindset. These are the shifts in mindset that unlocked my career.

    Curious about Serverless and the modern backend? Check out Serverless Handbook, for frontend engineers 👉 ServerlessHandbook.dev

    Want to Stop copy pasting D3 examples and create data visualizations of your own? Learn how to build scalable dataviz React components your whole team can understand with React for Data Visualization

    Want to get my best emails on JavaScript, React, Serverless, Fullstack Web, or Indie Hacking? Check out swizec.com/collections

    Did someone amazing share this letter with you? Wonderful! You can sign up for my weekly letters for software engineers on their path to greatness, here: swizec.com/blog

    Want to brush up on your modern JavaScript syntax? Check out my interactive cheatsheet: es6cheatsheet.com

    By the way, just in case no one has told you it yet today: I love and appreciate you for who you are ❤️

    Created by Swizec with ❤️