It’s to do with the text renderer rather than ActionScript as such. If you’re using the new Flash 10 text renderer that supports bidirectional and complex text layout, then yes, user input may render in an unexpected way. The new text renderer is used by classes such as TextLine. You can see this in action by pasting something like:

well‮!nmad!

into the text layout example demo at http://blog.theflashblog.com/?p=442.

In the old text renderer you won’t get this, but you also won’t be able to render complex scripts properly either.

When you are accepting untrusted user input for inclusion in a wider string of text, whether or not Flash is involved, you should filter out these characters. A good group to choose to filter out is the one described by W3C as not suitable for use in markup. This includes the bidi overrides and a bunch of other generally troublesome control codes.

I would recommend most web applications routinely filter out all of these, as well as all the ASCII and C1 control codes other than newline (U+0000–U+0009, U+000B–U+001F, U+007F–U+009F).

(Profanity filters aren’t a compelling reason to disallow bidi IMO—they’re so easily fooled by almost anything that it’s not even worth bothering.)