Use javascript to launch local file on user's machine? - javascript

I have an Excel macro that runs in a workbook that our company uses. I've made cells look like hyperlinks, so when someone double-clicks on the link it opens IBM mainframe and loads up some data. I'm writing another app for us that's web based, and I'm wondering if this same functionality is possible. I haven't seen anything on the internet that would lead me to believe I could do this, but I thought I'd ask anyway....
Public SODD As String
Private Sub Worksheet_BeforeDoubleClick(ByVal Target As Range, Cancel As Boolean)
If Target.Column = 2 And (Target.Row >= 1) Then
SODD = Target.Value
Call SOLookup
End If
End Sub
Sub SOLookup()
Dim autECLPS As Object
Dim s As New AutSess
AppActivate "3270 Terminal"
s.SetConnectionByName ("A")
s.autECLPS.StartCommunication
s.autECLPS.SendKeys "[Clear]"
s.autECLOIA.WaitForInputReady (500)
s.autECLPS.SetText "SODD " & SODD
s.autECLOIA.WaitForInputReady (500)
s.autECLPS.SendKeys "[ENTER]"
s.autECLOIA.WaitForInputReady (500)
End Sub
This loads the IBM mainframe and types in the sales order number into their screen and hits Enter.
Would I be able to accomplish this same feat using something like Javascript?

Javascript may not execute files on the user's local environment. However, a server side language may do what you require. For instance, you can use AJAX(javascript) to make a call to a PHP script which can execute, say, a batch file (.bat) which can then run your macro. The PHP file could have code as simple as
system("cmd /c C:[path to your macro/.bat file]");
Again, this all depends on your configuration and environment. So to recap: Web Browser->AJAX->PHP->Macro.

Neither Javascript nor any other script that runs inside the browser is allowed to execute any file locally on a user's computer. And this is a good tihng. Imagine what would happen if any website could randomly execute programs on your computer...
Internet ressources are not trusted, therefore they are not allowed to do anything on your local computer.
If the website is running in your company's intranet, there might be a way using proprietary MS technology and the Internet Explorer with properly configured trusted sites - but I wouldn't bother with it.

Related

Is it possible to open an application installed on client machine using client side scripting languages

I need a suggestion to clarify my thought.Now I am working on a Web application in ASP.NET MVC5 with Angularjs as the front end framework.
Is there any way to open client side application like MS Word/Outlook using any scripting languages like jquery,ajax,angularjs etc.
Yes you can open any MS-WORD document using ActiveXObject.
Following is the sample code to print file data on webpage.
var w=new ActiveXObject(‘Word.Application’);
if (w != null)
{
w.Visible = true; //set to false to stop the Word document from opening
obj=w.Documents.Open("C:\\blank.doc"); //this can be any location on your PC, not just C:
docText = obj.Content;
w.Selection.TypeText("Hello world!");
w.Documents.Save();
document.write(docText);//Print on webpage
For more information you can refer here.
In general, no, because that would be a huge security hole and lead to the spread of viruses and malware.
In certain specific cases where you can control the user's computer already, you may be able to do it (e.g. Internet Explorer with trusted sites as Strom said).
But it's not really worth pursuing such options as they are being aggresively shut down by browser vendors all the time.

MS Excel and Power Point cannot properly open local hosted file through WebDAV

I am currently making a project with WebDAV to make some kind of Document Management System. It is an ASP .NET Web Application, hosted in IIS. (Although it's not using IIS WebDAV, but a modification of this project:
http://mvc4webdav.codeplex.com/
For the last few months, it was working properly, but a few days ago, Excel and PowerPoint behave wrongly.
I was using the FFWinplugin or the Sharepoint ActiveXObject (the OpenDocument Control) depending on the browser.
When the user clicks on the document link, it will trigger this function:
function editDocument(event, path) {
event.preventDefault();
if (fNewDoc) {
if (!EditDocumentButton.EditDocument(path)) {
alert(L_EditDocumentRuntimeError_Text);
}
} else {
try {
//************************ This part works for word but not excel or power point
//var ffWinPlugin = document.getElementById("winFirefoxPlugin");
//var ov = ffWinPlugin.GetOfficeVersion();
// ffWinPlugin.EditDocument(path, ov);
//*********************************
window.location.replace('ms-powerpoint:ofe|u|' + path); //But this works for excel and powerpoint
} catch (e) {
alert(L_EditDocumentError_Text);
}
}
}
fNewDoc was a flag I set up at page load to determine whether the OpenDocument Control was initialized or not in IE.
The path is something like:
http://localhost/appName/EditDocument/cb72e81f-fb9c-40af-962b-aa981b79bb72/Test.pptx
The problem is this:
When I try to open an Excel/PowerPoint file by calling the EditDocument function above, using the FFWinPlugin or OpenDocument, it is not opened for editing properly. Both just open without protected view but cannot be edited.
In Excel, it does not show read-only mode, but when I tried saving, it says Document not Saved.
In PowerPoint, it opens in read-only mode.
I debugged to see the WebDAV Requests that was made, and it turns out that both of them only requests PROPFIND over and over again after the first OPTIONS.
While if I use the window.location.replace(.....), all 3 application (Word, Excel, PP) opens the documents fine, in protected view, and can be edited. Also, it follows the usual WebDAV Request cycle (OPTIONS-HEAD-OPTIONS-LOCK-GET-PROPFIND-UNLOCK). If I enable editing, it works just fine.
I tested the application first on Office 2013 (365), and for backward compatibility, I installed Office 2010 (I looked up online, and I know afterwards that this was a bad idea to have them side by side). And this whole problem occurs after I uninstalled the 2010 version a while ago.
I tested it on another computer, the problem did not occur. Tested also on an online WebDAV demo, and no problem occured as well. So it appears that the problem only happens between Excel/PowerPoint and the localhost.
I could have just use the working method to fix this, but it will make it inflexible, since I will have to have lots of if-else statement to determine which ms office application to use. While if I use the FFWinPlugin I don't have to take care of that. So I really want to know what's happening, but I have got nothing after looking up online for a while.
How can I fix this? At first I thought that the Office 2013 installation was corrupted after uninstalling 2010, but it works when not using the FFWinplugin. So, now I am not sure what went wrong.

How to check if the program is running with Administrator privileges in JavaScript

Is there any way to check in JavaScript if the current program runs with administrative privileges?
For example in C# i can do it with the following code:
bool isRunningWithAdminApprovals;
WindowsIdentity identity = WindowsIdentity.GetCurrent();
WindowsPrincipal principal = new WindowsPrincipal(identity);
isRunningWithAdminApprovals = principal.IsInRole(WindowsBuiltInRole.Administrator);
However I need to check it with a current running script of javaScript.
If i try to run an exe or a wrapper of the C# code, the UAC will prompt me to approve it and then i will already be in Administrative privilages...
Thanks
In modern browsers, the Javascript environment is run in a sandbox, so there's no way you can know anything about the system except those things that the browser put in the sandbox, ie the user agent string and a little more.
I fear you have to rely on other techniques, like Flash or Java, then retrieve the value with Javascript.

Would it be a security flaw to pass a URL from javascript to ActiveX?

I have an ActiveX control that basically checks if one of our company software is installed, and if not installs it.
(For reasons my boss doesn't want to just download the exe, he wants the ActiveX control to launch the setup.exe).
Now would it be bad if I passed from the javascript the URL & program name ?
Here's my idl interface so far:
// Primary dispatch interface for CMyAwesomeControl
[
uuid(xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx)
]
dispinterface _DMyAwesomeControl
{
properties:
methods:
[id(1)] LONG IsProgramInstalled(BSTR programName);
[id(2)] LONG InstallProgram(BSTR installURL);
};
I am of course worried about injecting anything malicious into those functions, but since javascript is running on the client side it shouldn't matter right ?
Otherwise I thought I could extract the URL this activeX is running on and make sure it's always our company's domain (but again, hard coding it :/).
I'm sorry in advance if this question makes the more security-savvy people out there pull their hair out :P
EDIT:
Just to add that it would be fine to include the setup.exe + .msi in the resources of the control but that would be a PITA to update.
Otherwise I could include just the setup.exe in the resource and leave the .msi on the server, and store the url in the setup.
As long as you sign your exe, and check this signature before running it, I don't see why it would be any different than letting the user download the exe and running it herself.
But make sure your certificate is valid, so you can actually check this on the user's machine (i.e. no self-signing).

How to call user32.dll methods from javascript

I have a javascript running on a browser. Is it possible to call a function/method in user32.dll.
This is possible from C# by using pInvoke calls. How do I do the same in JavaScript?
Thanks,
Datte
Because of the JavaScript sandbox, you can't do it without a middle layer requiring elevated security permissions, such as a Netscape-style browser plug-in (widely supported), ActiveX control (pretty much IE-only), or .Net control (I assume that's possible; again probably IE-only). In each case, the JavaScript would talk to the control, which would in turn make the USER32 call for you.
None of that will work without the user having granted your application elevated permissions, but I'm guessing as you're requiring Windows, this is for some kind of intranet application where that may be possible.
You definitely need a plug-in, extension or ActiveX of your own installed on the client.
In the case of a firefox extension, you can use jsctypes to wrap the calls easily.
If you use the Jetpack API included with Firefox 4, it will be all JavaScript and won't even require a browser restart.
Here's an exemple from mozilla.org for a basic Hello World :
/* Load JS Ctypes Javascript module */
require("chrome").Cu.import("resource://gre/modules/ctypes.jsm");
/* Load windows api dll */
var lib = ctypes.open("user32.dll");
/* Declare the signature of the function we are going to call */
var msgBox = lib.declare("MessageBoxW",
ctypes.stdcall_abi,
ctypes.int32_t,
ctypes.int32_t,
ctypes.ustring,
ctypes.ustring,
ctypes.int32_t);
var MB_OK = 3;
/* Do it! */
var ret = msgBox(0, "Hello world", "title", MB_OK);
/* Display the returned value */
alert("MessageBox result : "+ret);
lib.close();
On the client - it is not possible for security reasons (imagine every site could run system commands on your computer... end of the world - maybe possible with an ActiveX, but that's IE only, but then again, the DLL is windows only).
If you want to run it on the server you'll need to go trough AJAX and C#.
Run dll methods on the client machine using javascript from a web page? That's what is gonna trigger apocalypse.
If you build your own web browser in C#, you can intercept JavaScript calls and translate them to whatever you want in your browser. Though that won't work if you want it to be available to other browsers.
Write a com object that wraps your call to user32. Invoke it in IE/javascript.
Your DynamicWrapperX object would work for this (it would BE that com object, allowing you to just call your dlls as you wish).

Categories

Resources