Re: mshtml
From: Sascha Sertel (sascha_at_ninaza.com)
Date: 07/01/04
- Previous message: silvia: "Can't download printing DLL"
- In reply to: Alvin Bruney [MVP]: "Re: mshtml"
- Next in thread: Alvin Bruney [MVP]: "Re: mshtml"
- Reply: Alvin Bruney [MVP]: "Re: mshtml"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 1 Jul 2004 08:31:04 -0700
Hi there,
> that's a security concern you are dealing with. what if a virus could do
> what you are after. at midnight it fires a print with 10 million copies
and
> presses ok on the print dialog...
I don't agree. While the security concern you are mentioning might be part
of it, I still consider it a pure inconvenience, and Microsoft is not really
consistent with this kind of behavior. For example, it is possible with a
simple JavaScript or Python script to execute print functionality on any
Internet Explorer window. Here is a sample Python script that will
demonstrate what I mean:
------ Python Script start ---------
import win32com.client
from time import sleep
# look in the makepy output for IE for the "CLSIDToClassMap"
# dictionary, and find the entry for "ShellWindows"
clsid = '{9BA05972-F6A8-11CF-A442-00A0C90A8F39}'
# commands
OLECMDID_PRINT = 6
OLECMDEXECOPT_DONTPROMPTUSER = 2
ShellWindows = win32com.client.Dispatch(clsid)
# print the current IE document without prompting the user for the
printerdialog
ie = ShellWindows[1]
ie.ExecWB(OLECMDID_PRINT,
OLECMDEXECOPT_DONTPROMPTUSER)
------ Python Script end ---------
If you execute the above script on a Python console, it will print the
contents of the first Internet Explorer window (the second actually, since
the index starts at 0, but the 0 window is usually the explorer instance
that is used for the taskbar etc.) without asking for anything. It's even
easier than a virus to put that on a webpage and have 1 million copies of
the webpage printed. The only thing which is not possible is to chose the
printer like that, it will always take the default printer.
There are other examples, for instance Microsoft Outlook. Usually Outlook
will ask you if you want to allow access to another program if it tries to
access the inbox or send an email. But this is only true as long as you use
a certain Outlook Application object. In the knowledgebase they explain
exactly that you can also use a different Outlook object which will not ask
any questions and just execute what you want.
As for Gregor's initial question, it's probably true that you cannot pass
that DONTPROMPTUSER value ther somehow, but if you can just open your HTML
document in an (invisible) Internet Explorer instance and use a mechanism
like shown above (it's also possible in JavaScript and VBScript) you should
be able to print your HTML file without showing a print dialog.
Sorry for the ranting, but security should be implemented through proper
authorization mechanisms, not through missing functionality.
Sascha
- Previous message: silvia: "Can't download printing DLL"
- In reply to: Alvin Bruney [MVP]: "Re: mshtml"
- Next in thread: Alvin Bruney [MVP]: "Re: mshtml"
- Reply: Alvin Bruney [MVP]: "Re: mshtml"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
