Re: Make Active X Controls Safe

Hi,

I've created a HTML page with VBScript code.

Whenever the page is loaded in Internet Explorer, I get the following:

(1) The page is blocked by MS Popup blocker (because it contains a script)
(2) I get the following message after I unblock the page

An ActiveX control on this page might be unsafe to interact with other parts of the page. Do you want to allow this interactions?

How do I make my script safe for this message not to appear?

Any help
Thanks
Sunny

If this is something you are using locally you might look into using an .HTA vs an HTML file. HTA is the same, but has less restrictions. I haven't used them before so I don't know the details. I ran across this researching something else.

You simply have your Internet Explorer security settings set very high. For your own use, you might want to go into IE's settings and relax the settings. However, since this is a web page, you must consider other users as well. I, for example, have my settings set so that IE prompts me when a web page script wants to access an ActiveX control on my computer, or if the script wants to download an ActiveX control and run it. I have it set that way to prevent Macromedia Flash from getting onto my computer.

People are increasingly intolerant of client-side scripting accessing or downloading ActiveX controls, so you can: 1) redesign your page without the ActiveX control; 2) inform the user about exactly what you are doing. For example, if your page uses the Tabular Data Control, which is perfectly safe and is distributed by Microsoft, then tell the user that is what you are doing so that they can allow the script to access the control on their computer.

Besides (and in combination of) losen the security settings (and you would probably want to do that if it's running locally and is written by yourself), you could also sign the scripts if you have a certificate or can obtain one from a source in which your computer trusted (usually DCs or dedicated CA servers). By doing that, you can only allow signed scripts to run while keep other unknown scripts from running that could possibly do some damages unexpectedly.

Thanks for your replies.

My settings are set to Internet Explorer Defaults.

I have created simple HTML pages that have basic VBScripts and when I load the page Internet Explorer DOESNÒT display the interaction message box.

This what I get with my current code.
"An ActiveX control on this page might be unsafe to interact with other parts of this page. Do you want to allow this interaction?"

''''''''''''''
<html>
<head>
<SCRIPT language = "vbscript">

sComputerName = "cougar" '<< change to your pc name

Set oShell = CreateObject("WScript.Shell")
Set fso = CreateObject("Scripting.FileSystemObject")

oShell.Run("CMD /c ping -n 1 -w 1 " & sComputerName & ">d:\ping.txt"),0,TRUE '<< change drive letter

Set ofile = fso.OpenTextFile("d:\ping.txt", 1) '<< change drive letter

If InStr(oFile.ReadAll, "Reply from") Then

location.href = "http://www.msn.com"
Else
location.href = "http://www.lboro.ac.uk"
End If

ofile.close
set ofile = fso.getfile("d:\ping.txt") '<< change drive letter
ofile.delete

</script>
</head>
<body>
</body>
</html>
''''''''''''''''''

This has led me to believe that part of my code is the problem, but unfortunately I cant define which parts.

Does anyone have experience with this sort of problem?

If you need to test out my code, I have listed above, you will need to change some parts to work on your PC, I have commented where the change needs to be

Kind Regards

This worked for me. I did receive an IE popup stating

quote:

---

An ActiveX Control on this page might be unsafe to insteract with other parts of the page. Do you want to allow this interaction?

---

If I click yes I am brought to www.msn.com

If I convert this into an HTA I do not get the prompt and MSN opens.

Edit: Knew I forgot something. Most of my activeX controls are set to prompt before download.

Hi,

I've tried HTA, because this HTA page is set as the Home Page and every time IE is loaded it asks if you want to download the file instead of just opening like a normal web page. Otherwise the file would have been fine.

Any other suggestions?

I don't know if and how I can "sign" the VBScript and make them safe within our Domain.

Can objects like oShell and oFSO be created some other way?

Sunny

Why can't you just lower the security restriction so that it won't prompt the user whether the script should execute or not ?

If you have your own CA in your domain, you can get a certificate from one of the CAs. If you don't you can purchase a 3rd party certificate but I don't think anyone would spend the money on this.

There are other ways of creating these objects but I'm not familiar with their syntax and I can't explain to you if they don't work the way you intend to. If you do a search on google, you should be able to find some information.

eg:

1. set shell = New ActiveXObject("WScript.Shell")

2. Above the <script language="vbscript"> tag, place the following
line: (from other post in this forum, do a search for full story if you want)

<object classid="clsid:{72C24DD5-D70A-438B-8A42-98424B88AFB8}"
id="o_sehllobj"></object>

Ouch, token! You mixed together javascript and vbscript. Line 1 is javascript.

Also, this poster is just a bad listener. He dismissed my comments about the security settings by saying they are the default settings as though that is not the problem. The default settings are configured to protect the computer, so they are going to disallow extremely dangerous scripts like this one that instantiate an ActiveX object that accesses the computer's file system. Like duh! He has three choices: 1) Relax the security settings in the browser vis-a-vis the ActiveX control settings; 2) accomplish this task some other way; or 3) just say 'yes' to the darn question! This is a dangerous operation. The browser is not going to just allow it without a warning.

Oh ? Was wondering the syntax and such; I just paste what was posted. Like I say, I have no idea what your post did, and Line 1 just looks fancy to me :) Thanks for letting me know though :D

Yes, I believe those are the choices he can have. If I remember correctly, I believe scripts running in the Local Intranet Zone are allowed to run ActiveX scripts (I could be wrong though)If that is the case and he runs the scripts from his local computer, I don't see why he gets the warning (maybe it's SP2).

Oh well, I guess he needs to listen to get more suggestions. After all, we already gave ours and he needs to decide what he wants to do.

Cheers.