airsdk / Adobe-Runtime-Support

Report, track and discuss issues in Adobe AIR. Monitored by Adobe - and HARMAN - and maintained by the AIR community.
206 stars 11 forks source link

htmlText, img tag not working #1242

Open myflashlab opened 3 years ago

myflashlab commented 3 years ago

It's weird but it seems like the <img src='img.png/> is not working on any of the 33.** SDKs. The same project shows the inline image with SDK 32 but not anything higher.

ajwfrost commented 3 years ago

Interesting .. it's not working for me either with ADL Version 32.0.0.116... ... or with 32.0.0.89. Wondering if I'm going slightly mad, are you able to provide a quick app where you see it working in the older SDK and we can double-check?

thanks

myflashlab commented 3 years ago

I created a quick test project in AdobeAnimate and targeted SDK 32 to see if it works or not... and it did!

package {

import flash.display.Sprite;
import flash.text.TextField;

public class Main extends Sprite {
    public function Main() {
        var textField:TextField = new TextField();
        textField.border = true;
        textField.htmlText = "test <img src='https://www.myflashlabs.com/wp-content/uploads/2015/11/myflashlab_logo.png' />!!"
        addChild(textField);
    }
}
}

nothing fancy. Just a simple quick sample like this.

itlancer commented 3 years ago

@myflashlab At the reference https://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/flash/text/TextField.html#htmlText mentioned:

For AIR content in the application security sandbox, AIR ignores img tags in HTML content in ActionScript TextField objects. This is to prevent possible phishing attacks,

Many years ago I tried it and it works only for Flash Player output, not for AIR.

@ajwfrost, what "security issues" could be there? And could img tag be allowed in future AIR versions (it could be really helpful for many AIR applications)?

myflashlab commented 3 years ago

@itlancer Ah, that explains it. thanks for pointing out to that sentence. Anyhow, I was able to load images inline using TextFlow instead of the classic TextField class anyway.

Considering that this is not a bug, I'll close this ticket but I agree that it would be really nice if there's a possibility to support this feature with the TextField class.

ajwfrost commented 3 years ago

Thanks @itlancer - I hadn't realised that! but with that hint, we found the code that's preventing this, and yes it's exactly as you say.

There are some comments alongside this saying that the dangers are with loading of symbol linkages and of SWFs so it might be that we could allow some raw png/gif/jpg files to be included inline with the text.

Can I check, would you be wanting to pull in images from online, or from the local application assets? as the way things are structured, it's probably very straightforward to enable this if the img src attribute is a local file from within the application, and we could still block any out-of-control/web-based download of an image? Or would you want e.g. specific/known images, I can see a possibility where an application could want to pull images from their own webservers - but there's always a danger if you start to reference files that are outside of your own application's control as they may disappear (or be hacked)...

myflashlab commented 3 years ago

@ajwfrost It would be nice if it works at least from the local assets.

itlancer commented 3 years ago

@ajwfrost We would like to get png/jpg/gif (not swf) images to display in TextField::htmlText with scenarious: 1) "Local files" from app-storage://app:/ 2) "Local files" from file:/// 3) "Remote files" from our webservers 4) "Remote files" from not our webservers

In all cases sometimes files (and their URL/paths) predefined, sometimes dynamic generated. But we understand that some images could contains "anything" in "content" matter.

If you thing that could be dangerous in some cases then please clarify such cases. And may be something like LoaderContext or new "policy" property should be implemented to control loading images for img src.

And should new Feature Request need to be opened for that or current issue should be reopened?

2jfw commented 3 years ago

<img src='img.png/>

Isn't a single quote ' missing here? -> <img src='img.png'/>? Or was this just a typo?

Anyways, seeing that

textField.htmlText = "test <img src='https://www.myflashlabs.com/wp-content/uploads/2015/11/myflashlab_logo.png' />!!"

looks fine - so just pointing out to reduce possible confusion on improper syntax

johnou commented 1 year ago

@ajwfrost could we introduce a domain whitelist similar to Security.allowDomain for allowing img tags? we load information / instruction HTML articles from our CDN (trusted) eg. https://sandbox.habbo.com/gamedata/habbopages/21oct01 and prior to AIR embedded images (also hosted on our CDN) worked without problems.

johnou commented 1 year ago

@ajwfrost ping

ajwfrost commented 1 year ago

Hi

Thanks for the ping :-) So yes, looking back at this one, it sounds like a domain approval list would be a good idea, as then the developer is in control of what domains would be allowed and it would still block anything a user had entered if that didn't match the approval list..

So we could introduce a list of protocol + domain combinations that are allowed, e.g. https://www.adobe.com or *://www.adobe.com or file:///*, app:/* etc.

And then hopefully it would (just?) work to include an img tag into a text field..?! will have to check on that part too.....

thanks

johnou commented 1 year ago

That would be perfect, thanks!

johnou commented 1 year ago

fwiw Security.allowDomain currently throws an exception when used in AIR [1], I guess a new config would need to be introduced?

[1]

SecurityError: Error #3207: Application-sandbox content cannot access this feature.
    at flash.system::Security$/allowDomain()
skramovskiy commented 1 year ago

is there a solution as a result? how can I use an image in a text field in AIR

ajwfrost commented 1 year ago

Hi - sorry, no solution as yet, we need to add a new API in for this. The Security.allowDomain() method is about allowing another domain to access stuff in the application context, which isn't allowed in AIR; this would be to allow the application context to load content in another domain. The current restriction was put in place to avoid the possibility of malicious injection of content but we are looking at shifting that authority/responsibility onto application developers by allowing them a way to bypass this.

It may be best (from a security perspective) to have this on a per-text-field setting, so we could add something like TextField.allowedDomains : Vector.<String> which would allow you to set the domains under which we would allow images to be loaded.

We did check, and if we ignore the security restriction in code, then the images do load.. although the layout doesn't look quite right to me, maybe that's just the images and text field height settings that I'm trying..

Will get this API update into the AIR 51 codebase..

johnou commented 1 year ago

Suggested setting sounds great, thanks Andrew!

waveofthought-code commented 1 year ago

domain security aside, is there anything currently stopping us from using library linkage symbols in a textfield with the <img> tag, or is that also "broken"?

ajwfrost commented 1 year ago

There is a comment in the code explicitly forbidding this too. The creation of a symbol could lead to other code execution - I guess that's all internal anyway (assuming the symbol was from your swf not a loaded one) but this is equally restricted in AIR at the moment.

So I guess we need a way to have an "allowed domain" to be the current SWF as well.... e.g. "app:/Main.swf" (being, loaderInfo.url).

johnou commented 1 year ago

@ajwfrost any updates on adding TextField.allowedDomains : Vector.<String>?

itlancer commented 8 months ago

For me it works fine using latest AIR 51 and https://airsdk.dev/reference/actionscript/3.0/flash/text/TextField.html#allowedDomains Thanks!