An ActionScript interpreter, courtesy of JavaScript and Apollo

April 12, 2007 on 10:28 pm | In Flex, Programming, Uncategorized |

I’ve been experimenting quite a bit this week with Apollo, in preparation for a wee talk on the subject at Harvard. I’ve been building out that dependency analysis tool in Apollo and exploring the cool Javascript/Actionscript bridging capabilities in a series of examples.

Something amusing came up in the course of exploring script bridging: because JavaScript has the eval() function, and because AS3 objects are visible in an Apollo HTML DOM as fully fledged Javascript objects, one can easily use eval() in a Javascript context to evaluate live AS3 function calls, property assignments, and so on. Very, very nice!

For example,

<head>
<script>var obj;</script>
</head>

<body>
<input id="expr" type="text" size="80"/>
<a href="#" onClick="eval(document.getElementById('expr').value)">
  Evaluate
</a>
</body>

If you stuff this HTML into an HtmlControl, set that control’s window.obj to some AS3 object (say a Label for argument’s sake), then you can eval expressions like obj.setStyle(”fontFamily”, “Tahoma”) inside the HtmlControl and watch them take effect before your eyes. Should be a great debugging hack in Apollo.

3 Comments »

RSS feed for comments on this post. TrackBack URI

  1. Gulp! - This sounds dangerous - there’s surely some remote scripting badness here.

    I can imagine someone creating a web page with a piece of javascript that loops through all the available variables in the Apollo app and posts them back to a remote server. If usernames, passwords etc are stored in shared objects or as temporary variables inside flash then they’re at risk using this technique.

    Hopefully Adobe’s thought of this….

    Comment by Stephen Beattie — June 17, 2007 #

  2. Stephen — That’s a very good point, which I’ll try to check out….

    Comment by joe — June 18, 2007 #

  3. Things look good. On the remote scripting problem: the answer is that HTML windows have their own domain-specific security sandbox, much like a remotely loaded SWF. The capabilities granted to the script in an HTML window are exactly those that would be granted to a SWF loaded from the same domain as the HTML page. In the absence of any crossdomain privileges, these capabilities are null — a generic remote page’s Javascript cannot access information in the parent app, nor use the Apollo runtime APIs.

    Comment by joe — June 18, 2007 #

Leave a comment

XHTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>

Entries and comments feeds. Valid XHTML and CSS.
All content copyright (c) 2006-2007 Joseph Berkovitz. All Rights Reserved.