Home » Windows OSRSS

Script error invalid character using the WebBrowser control

One of our applications was broken after installing IE7. We narrowed the problem down to the below:

WebBrowser browser = new WebBrowser();
browser.DocumentText = "<script src=\"file://c:\test\foo.js\"></script><p>test</p>";

This code works fine under IE6, but when running on IE7 you get the error:
Line: 2
Char:1
Error: Invalid Character
Code: 0
URL: about:blank

It doesn't matter what is in the foo.js file, it can be completely blank and you will get the error. If you replace the file://c:\test\foo.js with a valid http URL (Internet zone), it works fine. If you create a file with the contents and load it into the control using browser.Navigate() it also loads fine. So it seems related to security.

Any ideas? This repros 100% on WinXP SP2 with IE7 Final.

Thanks,
John

 

21 Answers Found

 

Answer 1

but what about getting the same error  message here:

http://safety.live.com/site/en-US/scanner/default_scan.htm ?

i hope now we'll get faster an answer

 

Answer 2

There are some new information disclosure fixes in IE 7 that disallow arbitrary usage of the file  system for loading of scripts. There are several fixes available to get you up and running. First, don't use an internet  zone page for the content, instead load  a dummy HTML page from disk to put the browser control  into the local machine zone. Then you can load from the local machine zone  just fine.

The second is to show intent that you don't mind allowing web-sites arbitrary access to scripts on your local machine by setting a feature control key. Some applications  don't load internet content and so aren't vulnerable and so the usage of the key is a valid  fix:

HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT (registry key)

MyAppName.exe:DWORD(0x0) (registry value)

Hopefully one of these options is suitable for your scenario. We warn against setting the feature control key for your application unless you are sure that internet content is not going to be loaded by your application.

 

Answer 3

Justin -- thanks  for the suggestion.

We tried the following:

WebBrowser browser  = new WebBrowser();
browser.Navigate(@"c:\test\blank.html");     // suggestion 1: try put the browser in local machine mode
browser.DocumentText = "<script src=\"file://c:\test\foo.js\"></script><p>test</p>";     // still yields same script  error

We also added some code  to make sure the navigate  was complete before setting the DocumentText for good measure but that did not make a difference, we get the same script error.

It looks like when you do a document.write() it blows away the context altogether. As a host of the control, I would think there would be a programmatic way to control  the zone  security policy. Changing the registry is not really a good option since we also show some real web pages.

This seems like a very common scenario for MSHTML -- generate some dynamic content in memory which references scripts. I'm surprised this doesn't break applications  like Money, etc. We really would like to avoid writing to a temporary file  each time, although that does solve the problem.

Thanks,

John

 

Answer 4

The document write may indeed blow away your context. But gaining access to the elements inside the body of the current document would not. Once you navigate, you can try to inject HTML into the document by getting the body element and doing an innerHTML call on that.

browser.Document.Body.InnerHtml seems to be the .NET syntax you'd want.

Is this a common scenario? Well, yes and no. By adopting about:blank, you automatically get placed into the Internet zone  in most cases (there are some exceptions). Controls want this to occur because they get more protection from the web in this mode which is why the .NET WebBrowser control  behaves the way it does. Secure by default is our end goal in almost all cases.

Note, if you don't care about the dynamic scenario, you can always write to disk as well. I always put this out there just in case the application at hand warrants the approach. If you truly want dynamic page generation though, I think doing what you've done above, grabbing the body and injecting content will solve your problem.

 

Answer 5

John

I am not sure whether this is relevant.

But I faced exactly the same problem  you had described, and my problem was fixed after I added the about:blank to the trusted sites in IE7. Well this is not the best of the solutions but it solves the problem. I am working on devising an alternative solution for this.  Thanks,
 

Answer 6

It works  for me too, Prabs, thanks  a lot! But the problem  now is I get all the time a security  warning asking me if I allow the current Web page to open a site in my Trusted sites list which is, of course, about:blank
 

Answer 7

Since going to IE-7 I encounter this message when I open some but not all of the logs in my Norton Internet Security suite.  The problem  with allowing all communication with URL about:blank is that about:blank is an infamous purveyor of malware.  They are notorious especially but far from exclusively for homepage hijack exploits.  They have numerous publications that include downloaders, Trojans, web trackers, etc.  Questions: Why are we seeing this message? How is it related  to adopting IE-7? How do we fix it without allowing bad guys free access? I can tell you that Norton Antivirus does not detect a problem, nor do eTrust Pest Patrol, Ad-aware, or SpySweeper.
 

Answer 8

One way I fixed that error  - about:blank 1.right click on the desktop - select properties 2. chose the desktop tab 3. click on the button customise desktop 4 select the web tab 5. click on the properties button 6. stay under the default settings - 7. web documents tab -then uncheck make this page available offline apply and ok 8. Then close out of all windows you have open You will find that you are having no more problems with this any more . PS. Hope this helps everyone thats still having problem!
 

Answer 9

Sorry, not in my case
 

Answer 10

I did a clean reinstall of everything and now is working Twilight Zone...
 

Answer 11

I am still faced with the problem  that I can not use the Windows Live OneCare safety scanner.  How did you add the about:blank to the trusted sites in IE7?
 

Answer 12

Hi,

Getting the same error  but in a slightly different manner, it is happening for me when I try to set the browser  URL to that of an Authorware .AAM file:

ie:
 document.location=http://myserver/training/esa/esa010401/esa010401.aam

It works  fine if I use IE7 with "myserver" in the list of IE's trusted sites but doesn't work in an application using the WebBrowser control.

The registry modifications suggested by Justin Rodgers does work, but is an unacceptable solution to my situation as the application with the WebBrowser control  is already deployed to thousands of machines.

I'm really trying to find a solution that can be implemented on the server side.

Suggestions?

 

Answer 13

Control Panel => Internet Options => Security tab => select "Trusted sites" => click on "Sites" button => Trusted sites window => "Add this website to the zone:" - write "about:blank" => click on "Add" button => click on "Close" button => click "OK" in Internet Properties window.

But, like I said, after a clean installation of Windows, I uninstalled IE6 from "Add/Remove Windows Components" and I installed IE7 and everything worked fine, I did not need this "solution" anymore.

 

Answer 14

Control Panel => Internet Options => Security tab => select "Trusted sites" => click on "Sites" button => Trusted sites window => "Add this website to the zone:" - write "about:blank" => click on "Add" button => click on "Close" button => click "OK" in Internet Properties window.

But, like I said, after a clean installation of Windows, I uninstalled IE6 from "Add/Remove Windows Components" and I installed IE7 and everything worked fine, I did not need this "solution" anymore, neither making My Home Page unavailable offline.

 

Answer 15

After digging for two days, I think I found the reason. When your code  calls write(), IE implicitly opens a new document (calls open() implicitly), even when open() is called just before. For script  object of IE, it can initialize the URL of the new document with the file  it resides. But for COM call, no context exists, then IE will still initialize the new doc with "about:blank". So, write() operation will create  a doc in "about:blank" instead of in the page before write() is called. Together with the LMZ_SCRIPT restriction, loading external JS file will fail.

One solution is the registry change mentioned by Justin previously, by allowing LMZ_SCRIPT for certain applications.

I also found a registryless workaround. You can use a dummy HTML file with a helper javascript function in it, and navigate  to this file first. When your application wants to write HTML containing script, call document.write() through the helper JS function. Then the call is made under correct context. This is a reasonable trick that we are making use of the context of <script>.

Helper.htm:
<HTML>
<HEAD>
<script language="javascript">
function WriteHelper(str)
{
    document.write(str);
}
</script>
</HEAD>
</HTML>
In C++ Code:
// Get IHTMLWindow2 from IHTMLDocument2, say, pWin
// Use pWin->GetIDsOfNames() to get "WriteHelper" method of pWin
// Use pWin->Invoke() to invoke the javascript function, providing the string as parameter

I tried this way to write "<script src='jscript1.js'></script>" and it works, as long as JS file is in the same domain of the helper HTML. By this way you don't have to change the registry.

 

Answer 16

Thanks for this tip (I wouldn't have thought of that !)

Next problem  is calling IDispatch::Invoke() from C# (most development is .NET nowdays).

I got as far as getting an IDispatch from IHTMLWindow2, courtesy of interop but GetIDsOfNames() keeps failing .

Do you know of some working C# (or VB.NET) code  for calling IDispatch ?
 

Answer 17

Well, never could get GetIDsOfNames() to return anything useful so I tried a more mundane trick, generating a temporary HTML (I initially wanted to avoid relying on the filesystem) file  and loading it : it worked.

The temp file contains the needed <script> elements, this time, and I get no complains about "uncorrect character  line 1", everything hunky dory.

Hope it helps someone :)
 

Answer 18

Had the exact same problem.  The solution I went with was to load  a blank  html file on startup, and do all further updates by modifying the page using the DOM, rather than replacing it via DocumentText.  That included creating the link to the external javascript file  using the DOM, as shown below: HtmlElement newElement = webBrowser1.Document.CreateElement("script"); newElement.SetAttribute("type", "text/javascript"); newElement.SetAttribute("src", "file://C:/junk/junk.js"); HtmlElement head = webBrowser1.Document.GetElementsByTagName("head")[0]; head.AppendChild(newElement);
 

Answer 19

While activating action key to scan on Window Live one care the following error  appeared:-

Internet Explorer script  error

An error occured the script on this page

Line: 90
Char:1
Error: Obect expected
Code: 0
URL: about:blank

And then it asks do you want to continue ??

On each action Yes or No there is no function

Appriciate if any cure for this is send to me on my mail id : wideworldevent@gmail.com

 

Answer 20

Thank u so much. I've had this issue since Christmas when my hubby got his new mp3 player and has been downloading songs. Your solution so helped.

 

Answer 21

thank you, Berriman! that helped! i'm not getting any messages anymore!
 
 
 

<< Previous      Next >>


Microsoft   |   Windows   |   Visual Studio   |   Follow us on Twitter