Active Content?

M

McKirahan

What is "active content"? My ASP page just returns HTML....


I have a page with an .htm extension that has a form whose action
is an ASP page which generates a report after updating a database
with the form data.

Under Windowx XP SP2 the IE6 "Information Bar" has the message:

"To help protect your security, Internet Explorer has restricted this
file from showing active content that could access your computer."
 
M

McKirahan

Curt_C said:
Whats the code look like? Mostly likely some clientside events are getting
triggered that are being interpreted as malicious

Thanks for your reply. As I said, it returns just HTML:

<html>
<head>
<title>...</title>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta name="title" content="...">
<meta name="description" content="...">
<meta name="keywords" content="...">
<meta name="author" content="...">
<style type="text/css">
td { font-family:Arial; font-size:8pt }
th { font-family:Arial; font-size:8pt; font-weight:bold }
..data { font-family:Arial; font-size:7pt; cursor:pointer; cursor:hand }
..hand { cursor:pointer; cursor:hand }
..head { font-family:Arial; font-size:9pt; font-weight:bold }
..lane { border-bottom:1px solid black }
..line { border:1px solid black }
..page { page-break-before:always }
</style>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0" width="709">
<tr>
<th align="left" class="head">...</th>
<th class="head">
<img src="images/...gif" border="0" width="24" height="12" alt=""
class="line" align="absmiddle">
&nbsp; ... &nbsp;
<img src="images/...gif" border="0" width="24" height="12" alt=""
class="line" align="absmiddle">
</th>
<th align="right" class="head">...</th>
</tr>
</table>
<br>
<table border="0" cellpadding="0" cellspacing="0" width="709" class="line">
<tr>
<th class="lane" width="118" align="left">...</th>
<th class="lane" width="60">...</th>
<th class="lane" width="40">...</th>
<th class="lane" width="40">...</th>
<th class="lane" width="40">...</th>
<th class="lane" width="40">...</th>
<th class="lane" width="35">...</th>
<th class="lane" width="35">...</th>
<th class="lane" width="40">...</th>
<th class="lane" width="40">...</th>
<th class="lane" width="40">...</th>
<th class="lane" width="30">...</th>
<th class="lane" width="30">...</th>
<th class="lane" width="120">...</th>
</tr>
<!-- table row details were here -->
</table>
<div class="page"></div>
</body>
</html>
 
M

Mark Schupp

McKirahan said:
Thanks for your reply. As I said, it returns just HTML:

<html>
<head>
<title>...</title>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta name="title" content="...">
<meta name="description" content="...">
<meta name="keywords" content="...">
<meta name="author" content="...">
<style type="text/css">
td { font-family:Arial; font-size:8pt }
th { font-family:Arial; font-size:8pt; font-weight:bold }
.data { font-family:Arial; font-size:7pt; cursor:pointer; cursor:hand }
.hand { cursor:pointer; cursor:hand }
.head { font-family:Arial; font-size:9pt; font-weight:bold }
.lane { border-bottom:1px solid black }
.line { border:1px solid black }
.page { page-break-before:always }
</style>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0" width="709">
<tr>
<th align="left" class="head">...</th>
<th class="head">
<img src="images/...gif" border="0" width="24" height="12" alt=""
class="line" align="absmiddle">
&nbsp; ... &nbsp;
<img src="images/...gif" border="0" width="24" height="12" alt=""
class="line" align="absmiddle">
</th>
<th align="right" class="head">...</th>
</tr>
</table>
<br>
<table border="0" cellpadding="0" cellspacing="0" width="709"
class="line">
<tr>
<th class="lane" width="118" align="left">...</th>
<th class="lane" width="60">...</th>
<th class="lane" width="40">...</th>
<th class="lane" width="40">...</th>
<th class="lane" width="40">...</th>
<th class="lane" width="40">...</th>
<th class="lane" width="35">...</th>
<th class="lane" width="35">...</th>
<th class="lane" width="40">...</th>
<th class="lane" width="40">...</th>
<th class="lane" width="40">...</th>
<th class="lane" width="30">...</th>
<th class="lane" width="30">...</th>
<th class="lane" width="120">...</th>
</tr>
<!-- table row details were here -->
</table>
<div class="page"></div>
</body>
</html>
don't see anything obvious (unless there is something in the "..." areas
that you left out). try stripping out code until the message goes away
(start with the style block, it has the most unusual code).
 
A

Adrienne

don't see anything obvious (unless there is something in the "..."
areas that you left out). try stripping out code until the message goes
away (start with the style block, it has the most unusual code).

The style block looks good, no errors. If I were you, I would put the
style information in an external sheet. Don't use fixed font sizes the
user cannot resize, use ems or percentages (percantages are better because
IE has issues with ems), and the size you have declared may be too small
for some users. Also, the native behavior of the TH element is to center
bold, so font-weight:bold is redundant.

Do you have a URL? It would be helpful to see the real source.

My guess is there is something there that the script is outputting that is
not HTML, therefore, the browser is coming up with the message.

You might also want to check what content type the server is sending. Make
sure that it is text/html. If you are trying to serve content-type:
application/xhtml+xml IE does not know how to render it correctly and will
throw an error.
 
M

McKirahan

[snip]

Thanks anyway...
The style block looks good, no errors. If I were you, I would put the
style information in an external sheet. Don't use fixed font sizes the
user cannot resize, use ems or percentages (percantages are better because
IE has issues with ems), and the size you have declared may be too small
for some users. Also, the native behavior of the TH element is to center
bold, so font-weight:bold is redundant.

This page has a single user as it's part of an application.
Do you have a URL? It would be helpful to see the real source.

I posted a subset of the real source; "..." was subsitiuted in places.
My guess is there is something there that the script is outputting that is
not HTML, therefore, the browser is coming up with the message.

Nothing but HTML; not even JavaScript.
You might also want to check what content type the server is sending. Make
sure that it is text/html. If you are trying to serve content-type:
application/xhtml+xml IE does not know how to render it correctly and will
throw an error.

I declared the content type with a meta tag.

I found this though it doesn't seem to apply:

How to Disable Active Content in Internet Explorer
http://support.microsoft.com/kb/154036

In part it states:

Customizing Safety Levels for Active Content

While most active content contained in Web pages is safe, some Web pages
contain active content that can potentially cause security problems on your
computer. For example, an ActiveX control that runs automatically when you
load a particular Web page might damage your data or cause your computer to
become infected with a virus. Internet Explorer uses safety levels for
active content to help prevent this situation from occurring.
 
A

Adrienne

[snip]

Thanks anyway...
The style block looks good, no errors. If I were you, I would put the
style information in an external sheet. Don't use fixed font sizes
the user cannot resize, use ems or percentages (percantages are better
because IE has issues with ems), and the size you have declared may be
too small for some users. Also, the native behavior of the TH element
is to center bold, so font-weight:bold is redundant.

This page has a single user as it's part of an application.

And only one user uses the application? Be aware if you ever want to port
this to an application that will be on the WWW you need to address this
issue.
I posted a subset of the real source; "..." was subsitiuted in places.

It would still be good to see the source. Although you have substituted
.... there's nothing like the real thing.
Nothing but HTML; not even JavaScript.

Provide a URL.
I declared the content type with a meta tag.

Server content type overrides the META element.
I found this though it doesn't seem to apply:

How to Disable Active Content in Internet Explorer
http://support.microsoft.com/kb/154036

In part it states:

Customizing Safety Levels for Active Content

While most active content contained in Web pages is safe, some Web
pages contain active content that can potentially cause security
problems on your computer. For example, an ActiveX control that runs
automatically when you load a particular Web page might damage your
data or cause your computer to become infected with a virus. Internet
Explorer uses safety levels for active content to help prevent this
situation from occurring.

If you change the settings to allow everything, does your application work
correctly? If so, there _is_ something there other than HTML or the server
is sending an incorrect content type.

I suggest you view the page in Firefox with the Developer extensions
enabled, and view Response Headers.
 
M

McKirahan

Thanks for your continued interest.

Adrienne said:
[snip]

Thanks anyway...
The style block looks good, no errors. If I were you, I would put the
style information in an external sheet. Don't use fixed font sizes
the user cannot resize, use ems or percentages (percantages are better
because IE has issues with ems), and the size you have declared may be
too small for some users. Also, the native behavior of the TH element
is to center bold, so font-weight:bold is redundant.

This page has a single user as it's part of an application.

And only one user uses the application?
Yes.

Be aware if you ever want to port
this to an application that will be on the WWW you need to address this
issue.
I posted a subset of the real source; "..." was subsitiuted in places.

It would still be good to see the source. Although you have substituted
... there's nothing like the real thing.
Nothing but HTML; not even JavaScript.

Provide a URL.
I declared the content type with a meta tag.

Server content type overrides the META element.
I found this though it doesn't seem to apply:

How to Disable Active Content in Internet Explorer
http://support.microsoft.com/kb/154036

In part it states:

Customizing Safety Levels for Active Content

While most active content contained in Web pages is safe, some Web
pages contain active content that can potentially cause security
problems on your computer. For example, an ActiveX control that runs
automatically when you load a particular Web page might damage your
data or cause your computer to become infected with a virus. Internet
Explorer uses safety levels for active content to help prevent this
situation from occurring.

If you change the settings to allow everything, does your application work
correctly? If so, there _is_ something there other than HTML or the server
is sending an incorrect content type.

I suggest you view the page in Firefox with the Developer extensions
enabled, and view Response Headers.

This page is part of an HTML Application. The HTA generates a .htm page
(opened using "InternetExplorer.Application") with a form; when the page
is loaded JavaScript is used to submit the form whose action is the .asp
page.

The ASP page processes the form which updates a database then displays
a report of what it did. The database gets updated and the page tries to
load but is halted when the message in the Information Bar appears.


I'm going to try "Mark of the Web" as alternative to changing IE6 settings.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top