A new HTA based message box
in [VbScript]
|
From: Csaba Gabor on 26 Jun 2010 06:42 Thanks for a very interesting post/threads highlighting some of the distinctions between HTAs and simple IE. If I understand correctly, the philosophy of the HTA is, "Gee, this IE was initiated by VBScript, therefore perhaps its not unreasonable to give the script proper access." So why isn't the same philosophy followed when VBScript initiates an IE? (that question is meant to be rhetorical except for Microsoft system designers/architects). There are, after all, now two ways to gain this end - one by the means shown in the post and the other by creating (or copying onto) a ..HTA, no? And doesn't that effectively undo all the security introduced by such distinction? Csaba Gabor from Vienna On Jun 25, 6:01 pm, Tom Lavedas <tglba...(a)verizon.net> wrote: > About ten days ago I adapted a Mayayana solution to create a > "chromeless" msgbox replacement. The thread can be found here:http://groups.google.com/group/microsoft.public.scripting.vbscript/br.... > > At the time I figured the only thing objectionable about the approach > was that it flashed a large HTA window before it could be adjusted to > the desired size. I asked if anyone might have a solution. Having > received no response, I kept thinking about that problem. I was > pretty sure a fix could be coded into the JavaScript used to create > the HTA in the first place, but couldn't get it to work. Today I had > a 'eureka' moment and after some fiddling got it worked out. > > Hear is an example that presents a request for credentials and > provides a simple UID/Password dialog box as an example of its use > (watch for wordwrap) ... > > ' A simple example of HTABox > -----------' Main ------------- > with HTABox("lightgrey", 150, 300, 400, 500) > .document.title = "Credentials" > .msg.innerHTML = "UserID: <input type=text size=20 > id=UID>"_ > & "<br>Password: <input type=password id=PW > size=22><p>" _ > & "<input type=submit value=Submit > onclick='done.value=true'>" > .UID.value = createobject("wscript.network").username > .PW.focus > do until .done.value : wsh.sleep 50 : loop > sUID = .UID.value : sPW = .PW.value > .close > end with > > wsh.echo "UID:", sUID, "Password:", sPW > '--------- Main Ends ------------ > > ' Author: Tom Lavedas, June 2010 > Function HTABox(sBgColor, h, w, l, t) > Dim IE, HTA > > randomize : nRnd = Int(1000000 * rnd) > sCmd = "mshta.exe ""javascript:" _ > & "{with (new ActiveXObject(""InternetExplorer.Application"")) > {" _ > & "PutProperty('" & nRnd & "',window);" _ > & "with (GetProperty('" & nRnd & "')){" _ > & "resizeTo(" & w & "," & h & ");moveTo(" & l & "," & t & > ")}}}""" > > with CreateObject("WScript.Shell") > .Run sCmd, 1, False > do until .AppActivate("javascript:{with ") : WSH.sleep 10 : loop > end with ' WSHShell > > For Each IE In CreateObject("Shell.Application").windows > If IsObject(IE.GetProperty(nRnd)) Then > set HTABox = IE.GetProperty(nRnd) > HTABox.document.title = "HTABox" > HTABox.document.write _ > "<HTA:Application contextMenu=no border=thin " _ > & "minimizebutton=no maximizebutton=no sysmenu=no />" _ > & "<body scroll=no style='background-color:" _ > & sBgColor & ";font:normal 10pt Arial' " _ > & "onbeforeunload='vbscript:if not done.value then " _ > & "window.event.cancelBubble=true:" _ > & "window.event.returnValue=false:" _ > & "done.value=true:end if'>" _ > & "<input type=hidden id=done value=false>" _ > & "<center><span id=msg> </span><center></body>" > Exit Function > End If > Next > > ' I can't imagine how this line can be reached, but just in case > MsgBox "HTA window not found." : wsh.quit > > End Function > ' ---------- code ends ------------- > > I chose to make the dialog box as simple as possible, purposely devoid > of 'bells and whistles'. It merely returns a handle to the HTA window > that is created. It does provided some fundamental features such as > the setting of background color, height, width, left position and top > position. The actual controls for the object are left to the user to > define through the 'msg' object that the routine creates. A user's > intention to continue is signaled via the hidden 'done' control, by > setting its value to True. However, a script is free to close the > window at any time by issuing a 'close' command. The script example > provides some illustrative code and logic. > > Enjoy. > _____________________ > Tom Lavedas
From: Mayayana on 26 Jun 2010 09:01 | | If I understand correctly, the philosophy of the HTA is, | "Gee, this IE was initiated by VBScript, therefore | perhaps its not unreasonable to give the script proper | access." So why isn't the same philosophy followed | when VBScript initiates an IE? (that question is | meant to be rhetorical except for Microsoft system | designers/architects). There are, after all, now two | ways to gain this end - one by the means shown in the | post and the other by creating (or copying onto) a | .HTA, no? And doesn't that effectively undo all the | security introduced by such distinction? | I'm wondering about that, too. HTAs were introduced as a way to continue using IE/script utilities in the face of increasing IE security. In Win98 I blocked HTAs, never used IE online, and used .html files for scripted utilities. HTAs seemed like an unnecessary security risk. But post-Win9x, an HTA is really the only way to do much of anything in IE without being blocked by security restrictions. I still wouldn't take IE online. I now think of it as an HTA-based scripting GUI. But the methods we're using to get file open dialogs and custom message boxes really shouldn't be possible from the point of view of Microsoft's IE security approach. I wouldn't be surprised if MS "fixes" that functionality, the same way they've blocked the production of custom message boxes, offscreen IE instances, etc.
From: "Dave "Crash" Dummy" on 26 Jun 2010 11:37 Mayayana wrote: > | | If I understand correctly, the philosophy of the HTA is, | "Gee, > this IE was initiated by VBScript, therefore | perhaps its not > unreasonable to give the script proper | access." So why isn't the > same philosophy followed | when VBScript initiates an IE? (that > question is | meant to be rhetorical except for Microsoft system | > designers/architects). There are, after all, now two | ways to gain > this end - one by the means shown in the | post and the other by > creating (or copying onto) a | .HTA, no? And doesn't that > effectively undo all the | security introduced by such distinction? | > I'm wondering about that, too. HTAs were introduced as a way to > continue using IE/script utilities in the face of increasing IE > security. In Win98 I blocked HTAs, never used IE online, and used > .html files for scripted utilities. HTAs seemed like an unnecessary > security risk. > > But post-Win9x, an HTA is really the only way to do much of anything > in IE without being blocked by security restrictions. I still > wouldn't take IE online. I now think of it as an HTA-based scripting > GUI. But the methods we're using to get file open dialogs and custom > message boxes really shouldn't be possible from the point of view of > Microsoft's IE security approach. > > I wouldn't be surprised if MS "fixes" that functionality, the same > way they've blocked the production of custom message boxes, offscreen > IE instances, etc. I used to get around a lot of those IE security restrictions by making Zone 0 visible then unblocking everything, but I haven't figured out how to do that in Windows 7, so I'm using HTA, instead. I've had to rewrite a lot of homebuilt utilities, including my browser home page. -- Crash "Patriotism is the last refuge of a scoundrel." ~ Samuel Johnson ~
From: Mayayana on 26 Jun 2010 12:06 | I used to get around a lot of those IE security restrictions by making | Zone 0 visible then unblocking everything, but I haven't figured out how | to do that in Windows 7, so I'm using HTA, instead. I've had to rewrite | a lot of homebuilt utilities, including my browser home page. It keeps getting harder. IE security has become a mess piled onto a mess piled onto a mess. I wrote a script to demonstrate the *8* Registry values currently involved with IE settings: http://www.jsware.net/jsware/zips/ielocal.zip Linked from this info. page: http://www.jsware.net/jsware/iewacky.php5 I don't think I've actually tried the script in Win7. Like you, I only use HTAs now. I got tired of figuring out all of those convoluted "secret" settings. IE is really designed to be controlled by sys. admins in corporations, used by employees on intranets.
From: Al Dunbar on 26 Jun 2010 18:48 "Csaba Gabor" <danswer(a)gmail.com> wrote in message news:766088c9-f311-459a-bfc9-23bd9ba74f80(a)t10g2000yqg.googlegroups.com... > Thanks for a very interesting post/threads highlighting some > of the distinctions between HTAs and simple IE. > > If I understand correctly, you don't... > the philosophy of the HTA is, > "Gee, this IE was initiated by VBScript, therefore > perhaps its not unreasonable to give the script proper > access." As I understand it, the HTA was created as a way to develop applications having the same level of security restrictions as .exe's (i.e. none). There is no distinction about how the HTA (or HTML web page) is started and whether or not it is being manipulated by script not contained in the HTA itself. > So why isn't the same philosophy followed > when VBScript initiates an IE? (that question is > meant to be rhetorical except for Microsoft system > designers/architects). There are, after all, now two > ways to gain this end - one by the means shown in the > post and the other by creating (or copying onto) a > .HTA, no? And doesn't that effectively undo all the > security introduced by such distinction? The idea is that an application you develop (or purchase) is generally more trustworthy than whatever web site your browser might take you to. /Al > > Csaba Gabor from Vienna > > > On Jun 25, 6:01 pm, Tom Lavedas <tglba...(a)verizon.net> wrote: >> About ten days ago I adapted a Mayayana solution to create a >> "chromeless" msgbox replacement. The thread can be found >> here:http://groups.google.com/group/microsoft.public.scripting.vbscript/br.... >> >> At the time I figured the only thing objectionable about the approach >> was that it flashed a large HTA window before it could be adjusted to >> the desired size. I asked if anyone might have a solution. Having >> received no response, I kept thinking about that problem. I was >> pretty sure a fix could be coded into the JavaScript used to create >> the HTA in the first place, but couldn't get it to work. Today I had >> a 'eureka' moment and after some fiddling got it worked out. >> >> Hear is an example that presents a request for credentials and >> provides a simple UID/Password dialog box as an example of its use >> (watch for wordwrap) ... >> >> ' A simple example of HTABox >> -----------' Main ------------- >> with HTABox("lightgrey", 150, 300, 400, 500) >> .document.title = "Credentials" >> .msg.innerHTML = "UserID: <input type=text size=20 >> id=UID>"_ >> & "<br>Password: <input type=password id=PW >> size=22><p>" _ >> & "<input type=submit value=Submit >> onclick='done.value=true'>" >> .UID.value = createobject("wscript.network").username >> .PW.focus >> do until .done.value : wsh.sleep 50 : loop >> sUID = .UID.value : sPW = .PW.value >> .close >> end with >> >> wsh.echo "UID:", sUID, "Password:", sPW >> '--------- Main Ends ------------ >> >> ' Author: Tom Lavedas, June 2010 >> Function HTABox(sBgColor, h, w, l, t) >> Dim IE, HTA >> >> randomize : nRnd = Int(1000000 * rnd) >> sCmd = "mshta.exe ""javascript:" _ >> & "{with (new ActiveXObject(""InternetExplorer.Application"")) >> {" _ >> & "PutProperty('" & nRnd & "',window);" _ >> & "with (GetProperty('" & nRnd & "')){" _ >> & "resizeTo(" & w & "," & h & ");moveTo(" & l & "," & t & >> ")}}}""" >> >> with CreateObject("WScript.Shell") >> .Run sCmd, 1, False >> do until .AppActivate("javascript:{with ") : WSH.sleep 10 : loop >> end with ' WSHShell >> >> For Each IE In CreateObject("Shell.Application").windows >> If IsObject(IE.GetProperty(nRnd)) Then >> set HTABox = IE.GetProperty(nRnd) >> HTABox.document.title = "HTABox" >> HTABox.document.write _ >> "<HTA:Application contextMenu=no border=thin " _ >> & "minimizebutton=no maximizebutton=no sysmenu=no />" _ >> & "<body scroll=no style='background-color:" _ >> & sBgColor & ";font:normal 10pt Arial' " _ >> & "onbeforeunload='vbscript:if not done.value then " _ >> & "window.event.cancelBubble=true:" _ >> & "window.event.returnValue=false:" _ >> & "done.value=true:end if'>" _ >> & "<input type=hidden id=done value=false>" _ >> & "<center><span id=msg> </span><center></body>" >> Exit Function >> End If >> Next >> >> ' I can't imagine how this line can be reached, but just in case >> MsgBox "HTA window not found." : wsh.quit >> >> End Function >> ' ---------- code ends ------------- >> >> I chose to make the dialog box as simple as possible, purposely devoid >> of 'bells and whistles'. It merely returns a handle to the HTA window >> that is created. It does provided some fundamental features such as >> the setting of background color, height, width, left position and top >> position. The actual controls for the object are left to the user to >> define through the 'msg' object that the routine creates. A user's >> intention to continue is signaled via the hidden 'done' control, by >> setting its value to True. However, a script is free to close the >> window at any time by issuing a 'close' command. The script example >> provides some illustrative code and logic. >> >> Enjoy. >> _____________________ >> Tom Lavedas
|
Next
|
Last
Pages: 1 2 3 Prev: A new HTA based message box Next: VBScript to add local accounts on multiple machines |