Activex and message unsafe

[tkjames]

Application: Application Using ASP
Web Server : IS 4.0
Database: ORacle
Browser : Internet Explorer 5.0

This application has a search screen and the output of the search is displayed brought to the browser in XML format and displayed using XSL templates. It has a facility to save the output into Excel format. I am using the excel automation object from the cleint machine to save the XML data into excel file. But I am facing the following problems

1. The save operation works only if I set the propety
‘Initialize and script ActiveX controls not marked as safe’
to prompt in the options screen. if it is set to enable/disable it doe snot work

2. When I actually save to the excel file , it shows the following message

"Some Software (ActiveX control) on this page may be unsafe. It is recommended that you not run it. Do you want to allow it to run?"

Since I am using the automation object from microsoft, I though it should be safe. Then why is it displaying message.

Do you guys know how to get rid of this message? Or is ther eany better way of savinginto excel file?

Please help

 

[gztomoto]

The same problem happened to me.
And the software I decided is denied by my boss.
Someone help.

 

[Guest_imported]

Function ReadFiles1(specfile)
Dim fso
Const ForReading=1
Set fso=CreateObject("Scripting.FileSystemObject&quot
If (fso.FileExists(specfile)=False) Then
Msgbox "file not exist!"
End Function

This is part of my program, and I don't know why it cause
"Some Software (ActiveX control) on this page may be unsafe. It is recommended that you not run it. Do you want to allow it to run?"
It would trouble my client.

Is there some way to deal with it? Such as using regedit?

please help.

 

[RogerFGay]

This question is exactly why I've been browsing this forum. I wrote some code to read script files into a JavaScript program. I'm prototyping on my own local machine, and haven't tried to convert this to server (asp) code yet.

var inFileObj = new ActiveXObject("Scripting.FileSystemObject"

An alert message pops up that would likely scare any normal user to death.

"An ActiveX control on this page might be unsafe to interact with other parts of the page. Do you want to allow this interaction?"

The only guess I had as to why it would do such a rude and scarey thing without my permission, is that there is a security bug in IE, and ActiveX can take advantage of it. I don't know if that's why. But, I'd certainly like to find a simple way to get rid of the message. I can't release an application that pops up rude and scarey messages like that.

 

[Cagliostro]

You should singn your COM object. John Fill

ivfmd@mail.md

 

[RogerFGay]

JohnFill,

What does that mean? At least give me a hint. (I suppose you've already explained it elsewhere.)

I've been working on this on and off today, and have discovered a thing or two. First of all, if you go to msdn.microsoft.com and search for Scripting.FileSystemObject you'll find them warning that there are serious security problems related to its use. (The actual web page address .... well, too long in any case or I'd give it.)

Keeping in mind that I was running in client-JavaScript:
A bite:

"Because use of the FSO on the client side raises serious security issues about providing potentially unwelcome access to a client's local file system, this documentation assumes use of the FSO object model to create scripts executed by Internet Web pages on the server side. Since the server side is used, the Internet Explorer default security settings do not allow client-side use of the FileSystemObject object. Overriding those defaults could subject a local computer to unwelcome access to the file system, which could result in total destruction of the file system's integrity, causing loss of data, or worse."

-- I guess that's why we get the rude horrifying alerts. As I said, I haven't tried this in ASP on a server yet.

-- What I did do, just for fun (sort of), was I read my JavaScript (html) file using Microsoft.XMLDOM instead. Once I swapped the <, &&, ! sorts of things for functions (in another file that was loaded in a different frame) it didn't choke and everything worked just fine, just as I wanted it to, and without the rude horrifying warning message.

-- Now, this isn't the solution I'd like to have in the long run. I do want to have some of my code running in ASP, which for all I know, might solve the problem, but I still want to know what you mean by signing the COM... like with my name? With a + or - ? What do you mean?

-- Also, there might just be some other COM available that might do the trick without resorting to modifying my JavaScript code to make it all XML compatable (fine for html without script, but I don't really want to parse this anyway). I have run across some other COM objects like Exel.Application or whatever, but of course that's not what I want. Yes, in fact, it seems like Scripting.FileSystemObject is exactly what I want, because later on I'll want to create and write files to some disk as well; whether its to the server the program resides on or when the user wants to use the application to create data that they want to save locally (whether the application is running from a server or locally.)

-- Of course, whatever I do, I don't want the program haunted by the alert message.


SIGNED: Roger

 

[Cagliostro]

try

http://www.thawte.com

and get a signature for developers. You should find there all the instruction of using it. The prorgam with signature mean:
1. If program has updated since signed the program is unsafe.
2. Who use your program, know what you're resposible for harms.
3. This program is made by a real person.

If not, the program is unsafe. John Fill

ivfmd@mail.md

 

[RogerFGay]

I note this requires buying something. The initial comments explain;

&quot;Thawte Developer Certificates allow you to sign your code and macros for secure delivery over the internet.&quot;

Does this really have something to do with the alert warning I get when I'm running a program from my own disk in my own browser?

 

[Cagliostro]

Yes, is quite the same if you do in through the browser. John Fill

ivfmd@mail.md

 

[RogerFGay]

Thanks for your comments John. I have more research to do, but you've helped set me on a path to salvation. Here's an interesting and straightforward article I found, that may help people understand why this has been turned into such a problem; with a little tip included.

http://www.webdevelopersjournal.com/articles/filesystemobject.html

Now I'm disappointed re: the first post in this thread, that error messages even pop-up when trying to write to an exel file. One of the interesting work-arounds (for reading) I found, is to read as xml. This wasn't so hard to do since what I was reading was already imbedded in html (which I wrote as xml compliant). But, I'm now going to ask around if anyone knows if it's possible to write an XML file to disk (how to save data when created using the program). ActiveXObject (&quot;Microsoft.XMLDOM&quot or whatever XML parsing COM. {I'd also like to find a COM for simply reading and writing files of other kinds.)

Now, in the end, maybe the final solution is to write some Java or C/C++ ... just don't do this stuff in script. Maybe that's it. I really don't know yet, but I'd have to say I'm really impressed with all the hoops one has to jump through to do some of the most basic programming operations, reading and writing .... I mean like .... isn't it in chapter one of the book in CS101 ... input - process - output?

But I get it! Really I do. If every web page out there could read anything and write anything anywhere, we'd soon be in big trouble.