MSXML + HTA = BUG 7

Something is very wrong with MSXML

An HTA is an HTML Application. It is an executable application format that hosts Internet Explorer in a fully trusted application. This application, like any other executable has full access to your OS and hardware. You can create and delete files, read the registry and more. When using a HTA you can use any COM object and you can for example open a socket to create an IRC application. But, you cannot use MSXML to retrieve an XML document from a web server without seeing a security warning!

  • Mark Thomas

    It works for me.
    I have an hta that hosts an iframe (application=”yes”) pointing to a web server. I can use msxml from within this.

    Works on W2k IE5.5, IE6 and on XP

  • Mark Thomas

    Try running this from .hta. Works for me

    var objXMLHTTP = new ActiveXObject(“MSXML2.XmlHttp”)
    objXMLHTTP.Open(“GET”, “http://www.google.com”, false);
    objXMLHTTP.SetRequestHeader(“Content-type”, “text/html”);
    objXMLHTTP.Send();
    alert(objXMLHTTP.ResponseText)

    var objXML = new ActiveXObject(“MSXML.DomDocument”)
    objXML.async = “false”;
    objXML.load(“http://webfx.eae.net/dhtml/xloadtree/tree.xml”)
    alert(objXML.documentElement.xml)

  • http://erik.eae.net Erik Arvidsson

    Your code gives me a security warning… checking my IE settings… No, resetting to default does not help.

    I’m using IE6 SP1, 6.00.2800 with all the latest patches on Windows XP SP1 with all the latest patches.

    I got this bug report from someone else, I just could not believe it before testing it myself.

  • Mark Thomas

    I’m on IE 6.0.2800.1106.xpsp2.030422-1633
    Works with default or high security settings.

  • http://erik.eae.net Erik Arvidsson

    So, maybe they fixed the bug in XPSP2?

    Personnally I can’t use XPSP2 because it makes the active desktop unusable. (Yes, I have reported this.)

  • Mark Thomas

    I’m XP Sp1 not Sp2

  • http://erik.eae.net Erik Arvidsson

    Sorry, I didn’t realize that xpsp2 did not mean xp sp2 (in the about box).

    When resetting the Internet Zone, Local Intranet och Restricted sites it now work. I still consider this a bug because if any zone should apply the My Computer Zone should be used