[Xerte] Xerte and Flash security

Dave Burnett d_b_burnett at hotmail.com
Wed Oct 13 18:24:57 BST 2010 



So it is legal XML but AS2 doesn't support all characters when access is made via dot notation.
Brilliant!

The workaround is to wrap the offending phrase in []

This works:
ctrls.templateData.ok[0]["correct-tasks"][0].task[0].desc));

Sheesh.

Still don't know why sendAndLoad won't work from the server, but LoadVars will.



Subject: RE: [Xerte] Xerte and Flash security
Date: Wed, 13 Oct 2010 09:47:34 -0700
From: Paul.Swanson at harlandfs.com
To: xerte at lists.nottingham.ac.uk



















According to “XML for the World Wide Web” by
Elizabeth Castro, hyphens can be used in element names, but element names cannot
begin with them. Element names must begin with a letter, and underscore, or a
colon; and cannot begin with the letters x, m and l in either upper or
lowercase.

 







From:
xerte-bounces at lists.nottingham.ac.uk
[mailto:xerte-bounces at lists.nottingham.ac.uk] On Behalf Of Dave Burnett

Sent: Wednesday, October 13, 2010 9:30 AM

To: Xerte list

Subject: RE: [Xerte] Xerte and Flash security





 



Pat, see my post about having been down this road.



All this thrashing about is due to the fluky chance that a client sent me some
XML to test with a hyphen in an element tag.

Hyphens are perfectly XML legal AFAIK.

I kept getting NaN back when I tried to access via dot notation anything 
within that tag set.



Now the easy answer is of course, change the tag. But when you do dynamic
engines and don't know in the long run what someone might try to run through
there, it can't be considered best practice ;-)



So I thought, OK, maybe the XML has to come URL encoded, and using FileLocation
doesn't give me that.

So I tried to serve the XML off my server, and now I've run into the
sendAndLoad vs Loadvars problem.



Anyway, I tested in a dummy file using Loadvars to the XML on my server, and
elements with a hyphen still return NaN when access is attempted.



























From: Patrick.Lockley at nottingham.ac.uk

To: xerte at lists.nottingham.ac.uk

Date: Wed, 13 Oct 2010 17:15:14 +0100

Subject: RE: [Xerte] Xerte and Flash security



Think xerte desktop still uses IE to get to the internet?

 





From: xerte-bounces at lists.nottingham.ac.uk
[mailto:xerte-bounces at lists.nottingham.ac.uk] On Behalf Of Dave Burnett

Sent: 13 October 2010 16:50

To: Xerte list

Subject: RE: [Xerte] Xerte and Flash security





 



Thought that only operated on a browser.

I'm in Xerte desktop.















From:
Patrick.Lockley at nottingham.ac.uk

To: xerte at lists.nottingham.ac.uk

Date: Wed, 13 Oct 2010 16:46:44 +0100

Subject: RE: [Xerte] Xerte and Flash security



Check with fiddler?

 





From: xerte-bounces at lists.nottingham.ac.uk
[mailto:xerte-bounces at lists.nottingham.ac.uk] On Behalf Of Dave Burnett

Sent: 13 October 2010 16:46

To: Xerte list

Subject: RE: [Xerte] Xerte and Flash security





 



"ctrls.sendAndLoad(myReq, 'http://www.myserver.com/dave/some.xml'); //
just sits at event trap"



















From:
Patrick.Lockley at nottingham.ac.uk

To: xerte at lists.nottingham.ac.uk

Date: Wed, 13 Oct 2010 16:41:49 +0100

Subject: RE: [Xerte] Xerte and Flash security



Using the full domain in the
http:// request?

 





From: xerte-bounces at lists.nottingham.ac.uk
[mailto:xerte-bounces at lists.nottingham.ac.uk] On Behalf Of Dave Burnett

Sent: 13 October 2010 16:39

To: Xerte list

Subject: RE: [Xerte] Xerte and Flash security





 



Only works on domains I think.

Never seen a local file system specified in one.



















From:
Patrick.Lockley at nottingham.ac.uk

To: xerte at lists.nottingham.ac.uk

Date: Wed, 13 Oct 2010 16:32:23 +0100

Subject: RE: [Xerte] Xerte and Flash security



Crossdomain?

 

 





From: xerte-bounces at lists.nottingham.ac.uk [mailto:xerte-bounces at lists.nottingham.ac.uk]
On Behalf Of Dave Burnett

Sent: 13 October 2010 16:32

To: Xerte list

Subject: [Xerte] Xerte and Flash security





 



If while I am developing a bit and I want to load some XML from my server,
what's the trick?



ctrls.sendAndLoad(myReq, FileLocation + 'some.xml'); //trips onLoad event



ctrls.sendAndLoad(myReq, 'http://www.myserver.com/dave/some.xml'); // just sits
at event trap



Dave





This message and any attachment are intended solely for the addressee and may
contain confidential information. If you have received this message in error,
please send it back to me, and immediately delete it. Please do not use, copy
or disclose the information contained in this message or in any attachment. Any
views or opinions expressed by the author of this email do not necessarily
reflect the views of the University of Nottingham. 

This message has been checked for viruses but the contents of an attachment may
still contain software viruses which could damage your computer system: you are
advised to perform your own checks. Email communications with the University of
Nottingham may be monitored as permitted by UK legislation. 



_______________________________________________ Xerte mailing list
Xerte at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte
This message and any attachment are intended solely for the addressee and may
contain confidential information. If you have received this message in error,
please send it back to me, and immediately delete it. Please do not use, copy
or disclose the information contained in this message or in any attachment. Any
views or opinions expressed by the author of this email do not necessarily
reflect the views of the University of Nottingham. This message has been checked
for viruses but the contents of an attachment may still contain software
viruses which could damage your computer system: you are advised to perform
your own checks. Email communications with the University of Nottingham may be
monitored as permitted by UK legislation. 





_______________________________________________ Xerte mailing list
Xerte at lists.nottingham.ac.uk
http://lists.nottingham.ac.uk/mailman/listinfo/xerte This message and any
attachment are intended solely for the addressee and may contain confidential
information. If you have received this message in error, please send it back to
me, and immediately delete it. Please do not use, copy or disclose the
information contained in this message or in any attachment. Any views or
opinions expressed by the author of this email do not necessarily reflect the
views of the University of Nottingham. This message has been checked for
viruses but the contents of an attachment may still contain software viruses
which could damage your computer system: you are advised to perform your own
checks. Email communications with the University of Nottingham may be monitored
as permitted by UK legislation. 





_______________________________________________ Xerte mailing list
Xerte at lists.nottingham.ac.uk http://lists.nottingham.ac.uk/mailman/listinfo/xerte
This message and any attachment are intended solely for the addressee and may
contain confidential information. If you have received this message in error,
please send it back to me, and immediately delete it. Please do not use, copy
or disclose the information contained in this message or in any attachment. Any
views or opinions expressed by the author of this email do not necessarily
reflect the views of the University of Nottingham. This message has been
checked for viruses but the contents of an attachment may still contain
software viruses which could damage your computer system: you are advised to
perform your own checks. Email communications with the University of Nottingham
may be monitored as permitted by UK legislation. 





_______________________________________________ Xerte mailing list
Xerte at lists.nottingham.ac.uk
http://lists.nottingham.ac.uk/mailman/listinfo/xerte This message and any
attachment are intended solely for the addressee and may contain confidential
information. If you have received this message in error, please send it back to
me, and immediately delete it. Please do not use, copy or disclose the
information contained in this message or in any attachment. Any views or
opinions expressed by the author of this email do not necessarily reflect the
views of the University of Nottingham. This message has been checked for
viruses but the contents of an attachment may still contain software viruses
which could damage your computer system: you are advised to perform your own
checks. Email communications with the University of Nottingham may be monitored
as permitted by UK legislation. 









_______________________________________________
Xerte mailing list
Xerte at lists.nottingham.ac.uk
http://lists.nottingham.ac.uk/mailman/listinfo/xerte

This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it.   Please do not use, copy or disclose the information contained in this message or in any attachment.  Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham.

This message has been checked for viruses but the contents of an attachment
may still contain software viruses which could damage your computer system:
you are advised to perform your own checks. Email communications with the
University of Nottingham may be monitored as permitted by UK legislation. 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.nottingham.ac.uk/pipermail/xerte/attachments/20101013/0adb3d24/attachment.html

More information about the Xerte mailing list