1 Reply Latest reply on Aug 3, 2010 12:56 PM by chanomies

    Security with HTML from External Site

    chanomies

      I am building an application that pulls HTML content from an external site (RSS feed) and placing that content into my Flex application.  The content of this HTML is controlled by another developer at another company.

       

      After pulling back the HTML I am setting it as the htmlText attribute for an <mx:Text> box.

       

      Is this safe?  Since I don't control the source HTML content I'm concerned about the content having cross-site scripting attacks in it.  Links or things that execute arbitrary javascript onclick.  Is there any way to ensure that the HTML coming back can't be used to execute any JavaScript or ActionScript?

       

      Thanks,

      ..Jordan

       

       

      --

      Jordan | Yodlee Product Management

      Launch your Flex-based financial app in the Yodlee FinApp Store - http://www.finappstore.com

        • 1. Re: Security with HTML from External Site
          chanomies Level 1

          I have come up with a two-part solution which I think solves my problem.

           

          1) Flex automatically removed all intrinsic elements from the HTML:

              <mx:String id="inputString">
                   <![CDATA[
                   <a href="#" onclick="alert('hi');">Onclick alert</a><br/>
                   <script>alert("Your text in the alert function.");</script>
                   ]]>
               </mx:String>
               <mx:Text id="inputText" height="100%" width="100%" htmlText="{inputString}">

           

          The value of inputText.htmlText is the following (notice there is on “onclick” event as Flex automatically cleans out intrinsic events:
          <TEXTFORMAT LEADING="2"><P ALIGN="LEFT"><FONT FACE="Verdana" SIZE="10" COLOR="#0B333C" LETTERSPACING="0" KERNING="0"></FONT></P></TEXTFORMAT><TEXTFORMAT LEADING="2"><P ALIGN="LEFT"><FONT FACE="Verdana" SIZE="10" COLOR="#0B333C" LETTERSPACING="0" KERNING="0">        <A HREF="#" TARGET="">Onclick alert</A></FONT></P></TEXTFORMAT><TEXTFORMAT LEADING="2"><P ALIGN="LEFT"><FONT FACE="Verdana" SIZE="10" COLOR="#0B333C" LETTERSPACING="0" KERNING="0"></FONT></P></TEXTFORMAT><TEXTFORMAT LEADING="2"><P ALIGN="LEFT"><FONT FACE="Verdana" SIZE="10" COLOR="#0B333C" LETTERSPACING="0" KERNING="0">        alert(&quot;Your text in the alert function.&quot;);</FONT></P></TEXTFORMAT><TEXTFORMAT LEADING="2"><P ALIGN="LEFT"><FONT FACE="Verdana" SIZE="10" COLOR="#0B333C" LETTERSPACING="0" KERNING="0">        </FONT></P></TEXTFORMAT>

           

          2) So all I need to do is remove the "bad" links which is done like so:

          public function makeSafeContent(content:String):String {

          var safeContentStr:String = content;

           

          var myPattern:RegExp = /javascript/gi;

          safeContentStr = safeContentStr.replace(myPattern,"<span>javascript</span>");

          myPattern = /asfunction/gi;

          safeContentStr = safeContentStr.replace(myPattern,"<span>asfunction</span>");

          myPattern = /event/gi;

          safeContentStr = safeContentStr.replace(myPattern,"<span>event</span>");

          myPattern = /vbscript/gi;

          safeContentStr = safeContentStr.replace(myPattern,"<span>vbscript</span>");

           

          return(safeContentStr);

          }

          --

          Jordan | Yodlee Product Management

          Launch your Flex-based financial app in the Yodlee FinApp Store - http://www.finappstore.com