faqts : Computers : Programming : Languages : JavaScript : Windows

+ Search
 Add Entry AlertManage Folder Edit Entry Add page to http://del.icio.us/
Did You Find This Entry Useful?

101 of 113 people (89%) answered Yes
Recently 8 of 10 people (80%) answered Yes

Entry

How do I execute an application on the client machine - taking into account the security issues?

Nov 9th, 2001 06:41
lamar R, Martin Honnen, John Gabriel, 


First of all normal security settings in browsers disallow execution of 
application on the client machine by client side JavaScript.
 
With NN4 if your script is regarded as trusted (which it is when
  - it is loaded locally
  - it is signed
  - it is loaded via https secure server
  - the browser security settings are lowered to accept
    code base principals (check 
http://www.faqts.com/knowledge-base/view.phtml/aid/840/fid/125/lang/en
    for that)
it can call into Java to excecute an application. The 
  exec
function below in the if (document.layers) branch contains the NN4 code.
 
IE4/5 can't call into Java but can - if security settings are low 
enough - instantiate active x objects. The WScript.Shell active x 
object allows to run applications. So the IE part of the code in the 
following function tries to instantiate that object and call its Run 
method to run the application. Of course that will only work if 
WScript/Windows Script Host is installed on the client (Win98 comes 
with it but Win95 not) and the browser settings and the user allow the 
execution.

function exec (command) {
  if (document.layers && navigator.javaEnabled()) {
    window._command = command;
    window.oldOnError = window.onerror;
    window.onerror = function (err) {
      if (err.indexOf ("User didn't grant") != -1) {
        alert('command execution of ' + window._command + 
              ' disallowed by user.'); 
        return true;
      }
      else return false;
    }
    netscape.security.PrivilegeManager.enablePrivilege
('UniversalExecAccess');
    java.lang.Runtime.getRuntime().exec(command);
    window.onerror = window.oldOnError;
  }
  else if (document.all) {
    window.oldOnError = window.onerror;
    window._command = command;
    window.onerror = function (err) {
      if (err.indexOf('utomation') != -1) {
        alert('command execution of ' + window._command + 
              ' disallowed by user.'); 
        return true;
      }
      else return false;
    };
    var wsh = new ActiveXObject('WScript.Shell');
    if (wsh)
      wsh.Run(command);
    window.onerror = window.oldOnError;
  }
}

//Example
exec('notepad')

if you dont mind the IE security pop ups you can use Href="C:\pathname"