From: Csaba Gabor on
Thanks for a very interesting post/threads highlighting some
of the distinctions between HTAs and simple IE.

If I understand correctly, the philosophy of the HTA is,
"Gee, this IE was initiated by VBScript, therefore
perhaps its not unreasonable to give the script proper
access." So why isn't the same philosophy followed
when VBScript initiates an IE? (that question is
meant to be rhetorical except for Microsoft system
designers/architects). There are, after all, now two
ways to gain this end - one by the means shown in the
post and the other by creating (or copying onto) a
..HTA, no? And doesn't that effectively undo all the
security introduced by such distinction?

Csaba Gabor from Vienna


On Jun 25, 6:01 pm, Tom Lavedas <tglba...(a)verizon.net> wrote:
> About ten days ago I adapted a Mayayana solution to create a
> "chromeless" msgbox replacement. The thread can be found here:http://groups.google.com/group/microsoft.public.scripting.vbscript/br....
>
> At the time I figured the only thing objectionable about the approach
> was that it flashed a large HTA window before it could be adjusted to
> the desired size. I asked if anyone might have a solution. Having
> received no response, I kept thinking about that problem. I was
> pretty sure a fix could be coded into the JavaScript used to create
> the HTA in the first place, but couldn't get it to work. Today I had
> a 'eureka' moment and after some fiddling got it worked out.
>
> Hear is an example that presents a request for credentials and
> provides a simple UID/Password dialog box as an example of its use
> (watch for wordwrap) ...
>
> ' A simple example of HTABox
> -----------' Main -------------
> with HTABox("lightgrey", 150, 300, 400, 500)
> .document.title = "Credentials"
> .msg.innerHTML = "UserID: &nbsp; &nbsp; <input type=text size=20
> id=UID>"_
> & "<br>Password: <input type=password id=PW
> size=22><p>" _
> & "<input type=submit value=Submit
> onclick='done.value=true'>"
> .UID.value = createobject("wscript.network").username
> .PW.focus
> do until .done.value : wsh.sleep 50 : loop
> sUID = .UID.value : sPW = .PW.value
> .close
> end with
>
> wsh.echo "UID:", sUID, "Password:", sPW
> '--------- Main Ends ------------
>
> ' Author: Tom Lavedas, June 2010
> Function HTABox(sBgColor, h, w, l, t)
> Dim IE, HTA
>
> randomize : nRnd = Int(1000000 * rnd)
> sCmd = "mshta.exe ""javascript:" _
> & "{with (new ActiveXObject(""InternetExplorer.Application""))
> {" _
> & "PutProperty('" & nRnd & "',window);" _
> & "with (GetProperty('" & nRnd & "')){" _
> & "resizeTo(" & w & "," & h & ");moveTo(" & l & "," & t &
> ")}}}"""
>
> with CreateObject("WScript.Shell")
> .Run sCmd, 1, False
> do until .AppActivate("javascript:{with ") : WSH.sleep 10 : loop
> end with ' WSHShell
>
> For Each IE In CreateObject("Shell.Application").windows
> If IsObject(IE.GetProperty(nRnd)) Then
> set HTABox = IE.GetProperty(nRnd)
> HTABox.document.title = "HTABox"
> HTABox.document.write _
> "<HTA:Application contextMenu=no border=thin " _
> & "minimizebutton=no maximizebutton=no sysmenu=no />" _
> & "<body scroll=no style='background-color:" _
> & sBgColor & ";font:normal 10pt Arial' " _
> & "onbeforeunload='vbscript:if not done.value then " _
> & "window.event.cancelBubble=true:" _
> & "window.event.returnValue=false:" _
> & "done.value=true:end if'>" _
> & "<input type=hidden id=done value=false>" _
> & "<center><span id=msg>&nbsp;</span><center></body>"
> Exit Function
> End If
> Next
>
> ' I can't imagine how this line can be reached, but just in case
> MsgBox "HTA window not found." : wsh.quit
>
> End Function
> ' ---------- code ends -------------
>
> I chose to make the dialog box as simple as possible, purposely devoid
> of 'bells and whistles'. It merely returns a handle to the HTA window
> that is created. It does provided some fundamental features such as
> the setting of background color, height, width, left position and top
> position. The actual controls for the object are left to the user to
> define through the 'msg' object that the routine creates. A user's
> intention to continue is signaled via the hidden 'done' control, by
> setting its value to True. However, a script is free to close the
> window at any time by issuing a 'close' command. The script example
> provides some illustrative code and logic.
>
> Enjoy.
> _____________________
> Tom Lavedas
From: Mayayana on
|
| If I understand correctly, the philosophy of the HTA is,
| "Gee, this IE was initiated by VBScript, therefore
| perhaps its not unreasonable to give the script proper
| access." So why isn't the same philosophy followed
| when VBScript initiates an IE? (that question is
| meant to be rhetorical except for Microsoft system
| designers/architects). There are, after all, now two
| ways to gain this end - one by the means shown in the
| post and the other by creating (or copying onto) a
| .HTA, no? And doesn't that effectively undo all the
| security introduced by such distinction?
|
I'm wondering about that, too. HTAs were introduced
as a way to continue using IE/script utilities in the face
of increasing IE security. In Win98 I blocked HTAs, never
used IE online, and used .html files for scripted utilities.
HTAs seemed like an unnecessary security risk.

But post-Win9x, an HTA is really the only way to do
much of anything in IE without being blocked by security
restrictions. I still wouldn't take IE online. I now think
of it as an HTA-based scripting GUI. But the methods
we're using to get file open dialogs and custom message
boxes really shouldn't be possible from the point of view
of Microsoft's IE security approach.

I wouldn't be surprised if MS "fixes" that functionality,
the same way they've blocked the production of custom
message boxes, offscreen IE instances, etc.


From: "Dave "Crash" Dummy" on
Mayayana wrote:
> | | If I understand correctly, the philosophy of the HTA is, | "Gee,
> this IE was initiated by VBScript, therefore | perhaps its not
> unreasonable to give the script proper | access." So why isn't the
> same philosophy followed | when VBScript initiates an IE? (that
> question is | meant to be rhetorical except for Microsoft system |
> designers/architects). There are, after all, now two | ways to gain
> this end - one by the means shown in the | post and the other by
> creating (or copying onto) a | .HTA, no? And doesn't that
> effectively undo all the | security introduced by such distinction? |
> I'm wondering about that, too. HTAs were introduced as a way to
> continue using IE/script utilities in the face of increasing IE
> security. In Win98 I blocked HTAs, never used IE online, and used
> .html files for scripted utilities. HTAs seemed like an unnecessary
> security risk.
>
> But post-Win9x, an HTA is really the only way to do much of anything
> in IE without being blocked by security restrictions. I still
> wouldn't take IE online. I now think of it as an HTA-based scripting
> GUI. But the methods we're using to get file open dialogs and custom
> message boxes really shouldn't be possible from the point of view of
> Microsoft's IE security approach.
>
> I wouldn't be surprised if MS "fixes" that functionality, the same
> way they've blocked the production of custom message boxes, offscreen
> IE instances, etc.

I used to get around a lot of those IE security restrictions by making
Zone 0 visible then unblocking everything, but I haven't figured out how
to do that in Windows 7, so I'm using HTA, instead. I've had to rewrite
a lot of homebuilt utilities, including my browser home page.
--
Crash

"Patriotism is the last refuge of a scoundrel."
~ Samuel Johnson ~
From: Mayayana on
| I used to get around a lot of those IE security restrictions by making
| Zone 0 visible then unblocking everything, but I haven't figured out how
| to do that in Windows 7, so I'm using HTA, instead. I've had to rewrite
| a lot of homebuilt utilities, including my browser home page.

It keeps getting harder. IE security has become
a mess piled onto a mess piled onto a mess. I wrote
a script to demonstrate the *8* Registry values
currently involved with IE settings:

http://www.jsware.net/jsware/zips/ielocal.zip

Linked from this info. page:

http://www.jsware.net/jsware/iewacky.php5

I don't think I've actually tried the script in Win7.
Like you, I only use HTAs now. I got tired of figuring
out all of those convoluted "secret" settings. IE is
really designed to be controlled by sys. admins in
corporations, used by employees on intranets.


From: Al Dunbar on


"Csaba Gabor" <danswer(a)gmail.com> wrote in message
news:766088c9-f311-459a-bfc9-23bd9ba74f80(a)t10g2000yqg.googlegroups.com...
> Thanks for a very interesting post/threads highlighting some
> of the distinctions between HTAs and simple IE.
>
> If I understand correctly,

you don't...

> the philosophy of the HTA is,
> "Gee, this IE was initiated by VBScript, therefore
> perhaps its not unreasonable to give the script proper
> access."

As I understand it, the HTA was created as a way to develop applications
having the same level of security restrictions as .exe's (i.e. none). There
is no distinction about how the HTA (or HTML web page) is started and
whether or not it is being manipulated by script not contained in the HTA
itself.

> So why isn't the same philosophy followed
> when VBScript initiates an IE? (that question is
> meant to be rhetorical except for Microsoft system
> designers/architects). There are, after all, now two
> ways to gain this end - one by the means shown in the
> post and the other by creating (or copying onto) a
> .HTA, no? And doesn't that effectively undo all the
> security introduced by such distinction?

The idea is that an application you develop (or purchase) is generally more
trustworthy than whatever web site your browser might take you to.

/Al

>
> Csaba Gabor from Vienna
>
>
> On Jun 25, 6:01 pm, Tom Lavedas <tglba...(a)verizon.net> wrote:
>> About ten days ago I adapted a Mayayana solution to create a
>> "chromeless" msgbox replacement. The thread can be found
>> here:http://groups.google.com/group/microsoft.public.scripting.vbscript/br....
>>
>> At the time I figured the only thing objectionable about the approach
>> was that it flashed a large HTA window before it could be adjusted to
>> the desired size. I asked if anyone might have a solution. Having
>> received no response, I kept thinking about that problem. I was
>> pretty sure a fix could be coded into the JavaScript used to create
>> the HTA in the first place, but couldn't get it to work. Today I had
>> a 'eureka' moment and after some fiddling got it worked out.
>>
>> Hear is an example that presents a request for credentials and
>> provides a simple UID/Password dialog box as an example of its use
>> (watch for wordwrap) ...
>>
>> ' A simple example of HTABox
>> -----------' Main -------------
>> with HTABox("lightgrey", 150, 300, 400, 500)
>> .document.title = "Credentials"
>> .msg.innerHTML = "UserID: &nbsp; &nbsp; <input type=text size=20
>> id=UID>"_
>> & "<br>Password: <input type=password id=PW
>> size=22><p>" _
>> & "<input type=submit value=Submit
>> onclick='done.value=true'>"
>> .UID.value = createobject("wscript.network").username
>> .PW.focus
>> do until .done.value : wsh.sleep 50 : loop
>> sUID = .UID.value : sPW = .PW.value
>> .close
>> end with
>>
>> wsh.echo "UID:", sUID, "Password:", sPW
>> '--------- Main Ends ------------
>>
>> ' Author: Tom Lavedas, June 2010
>> Function HTABox(sBgColor, h, w, l, t)
>> Dim IE, HTA
>>
>> randomize : nRnd = Int(1000000 * rnd)
>> sCmd = "mshta.exe ""javascript:" _
>> & "{with (new ActiveXObject(""InternetExplorer.Application""))
>> {" _
>> & "PutProperty('" & nRnd & "',window);" _
>> & "with (GetProperty('" & nRnd & "')){" _
>> & "resizeTo(" & w & "," & h & ");moveTo(" & l & "," & t &
>> ")}}}"""
>>
>> with CreateObject("WScript.Shell")
>> .Run sCmd, 1, False
>> do until .AppActivate("javascript:{with ") : WSH.sleep 10 : loop
>> end with ' WSHShell
>>
>> For Each IE In CreateObject("Shell.Application").windows
>> If IsObject(IE.GetProperty(nRnd)) Then
>> set HTABox = IE.GetProperty(nRnd)
>> HTABox.document.title = "HTABox"
>> HTABox.document.write _
>> "<HTA:Application contextMenu=no border=thin " _
>> & "minimizebutton=no maximizebutton=no sysmenu=no />" _
>> & "<body scroll=no style='background-color:" _
>> & sBgColor & ";font:normal 10pt Arial' " _
>> & "onbeforeunload='vbscript:if not done.value then " _
>> & "window.event.cancelBubble=true:" _
>> & "window.event.returnValue=false:" _
>> & "done.value=true:end if'>" _
>> & "<input type=hidden id=done value=false>" _
>> & "<center><span id=msg>&nbsp;</span><center></body>"
>> Exit Function
>> End If
>> Next
>>
>> ' I can't imagine how this line can be reached, but just in case
>> MsgBox "HTA window not found." : wsh.quit
>>
>> End Function
>> ' ---------- code ends -------------
>>
>> I chose to make the dialog box as simple as possible, purposely devoid
>> of 'bells and whistles'. It merely returns a handle to the HTA window
>> that is created. It does provided some fundamental features such as
>> the setting of background color, height, width, left position and top
>> position. The actual controls for the object are left to the user to
>> define through the 'msg' object that the routine creates. A user's
>> intention to continue is signaled via the hidden 'done' control, by
>> setting its value to True. However, a script is free to close the
>> window at any time by issuing a 'close' command. The script example
>> provides some illustrative code and logic.
>>
>> Enjoy.
>> _____________________
>> Tom Lavedas