Javascript and security
WMPTalk.com Forum Index WMPTalk.com
Discuss Windows Media Player
 
 FAQFAQ   MemberlistMemberlist     RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 
 
Google
 
Web wmptalk.com
Javascript and security

 
Post new topic   Reply to topic    WMPTalk.com Forum Index -> Windows Media on Web
Author Message
kdt
Guest
Posted: Fri Jul 02, 2004 5:30 am    Post subject: Javascript and security Reply with quote
Hi.

For arcane reasons I'm builing a player in javascript, then using dynamic html to sometimes write the player. It works just fine here, but on our clients machine it refuses to load the media. It builds the player, but there is no file loaded - right click and no properties in the popup menu.

I'm really stuck - it must be a security issue, but what. They are running XP Pro, which is one of the systems I'm testing it on here, but I can't seem to get it to work.
I've been through they's settings - everything is running locally on the machine using IE in Kiosk Mode, so no network, internet, cross platform or conectivity issues.

The file plays fine inside a stand alone windows media player, or when I directly write the object tag without the javascript.

Here's the code boiled down:
<HTML>
<SCRIPT language='JavaScript'>
function buildMediaPlayer(strURL){
var strObjectText;
strObjectText = "<OBJECT ID='mediaPlayer' ";
strObjectText = strObjectText + "CLASSID='CLSID:22d6f312-b0f6-11d0-94ab-0080c74c7e95' Height='457' Width='609' ";
strObjectText = strObjectText + "CODEBASE='http://activex.microsoft.com/activex/controls/mplayer/en/nsmp2inf.cab#Version=5,1,52,701'";
strObjectText = strObjectText + "STANDBY=''";
strObjectText = strObjectText + "TYPE='application/x-oleobject' >";
strObjectText = strObjectText + "<PARAM NAME='showControls' VALUE='false'> ";
strObjectText = strObjectText + "<PARAM NAME='Loop' VALUE='true'>"
strObjectText = strObjectText + "<PARAM NAME='animationatStart' VALUE='false'> ";
strObjectText = strObjectText + "<PARAM NAME='transparentatStart' VALUE='true'> ";
strObjectText = strObjectText + "<PARAM NAME='autoStart' VALUE='true'>";
strObjectText = strObjectText + "<PARAM name='FileName' value='";
strObjectText = strObjectText + strURL + "'>"
strObjectText = strObjectText + "</OBJECT>";

return strObjectText;
}</SCRIPT>
<BODY>
<DIV ID="MediaDiv">
<P ID="Media">
</DIV>
<SCRIPT LANGUAGE='JavaScript'>
Media.innerHTML = buildMediaPlayer("airplaneproc.mpg");
</SCRIPT>
</BODY></HTML>


However this works just fine, unfortunately not usable:

<HTML>
<BODY>
<OBJECT ID='mediaPlayer'
CLASSID='CLSID:22d6f312-b0f6-11d0-94ab-0080c74c7e95'
Height='457' Width='609'
CODEBASE='http://activex.microsoft.com/activex/controls/mplayer/en/nsmp2inf.cab#Version=5,1,52,701' STANDBY='' TYPE='application/x-oleobject'>
<PARAM NAME='showControls' VALUE='false'>
<PARAM NAME='Loop' VALUE='true'>
<PARAM NAME='animationatStart' VALUE='false'>
<PARAM NAME='transparentatStart' VALUE='true'>
<PARAM NAME='autoStart' VALUE='true'>
<PARAM name='FileName' value='airplaneproc.mpg'>
</OBJECT>
</BODY></HTML>

Any help, pointers, tips greatly appreciated

keith

Back to top
kdt
Guest
Posted: Fri Jul 02, 2004 6:39 am    Post subject: RE: Javascript and security Reply with quote
Additional note, I've also tried:
<DIV ID="MediaDiv">
</DIV>

<script>
document.getElementById("MediaDiv").innerHTML = buildMediaPlayer("airplaneproc.mpg");
</SCRIPT>

Which works locally but not on the site.

Keith
Back to top
Neil Smith [MVP Digital M
Guest
Posted: Fri Jul 02, 2004 10:35 pm    Post subject: Re: Javascript and security Reply with quote
Are you using an xhtml declaration on this document ?
You cannot set innerHTML to a tag pair without closing the tag :

<DIV ID="MediaDiv">
<P ID="Media">
</DIV>
<SCRIPT LANGUAGE='JavaScript'>
Media.innerHTML = buildMediaPlayer("airplaneproc.mpg");
</SCRIPT>

It's just not valid XHTML (or even, valid HTML !)

Cheers - Neil

On Thu, 1 Jul 2004 18:30:02 -0700, kdt <kdt@discussions.microsoft.com>
wrote:

Quote:
Hi.

For arcane reasons I'm builing a player in javascript, then using dynamic html to sometimes write the player. It works just fine here, but on our clients machine it refuses to load the media. It builds the player, but there is no file loaded - right click and no properties in the popup menu.

I'm really stuck - it must be a security issue, but what. They are running XP Pro, which is one of the systems I'm testing it on here, but I can't seem to get it to work.
I've been through they's settings - everything is running locally on the machine using IE in Kiosk Mode, so no network, internet, cross platform or conectivity issues.

The file plays fine inside a stand alone windows media player, or when I directly write the object tag without the javascript.

Here's the code boiled down:
HTML
SCRIPT language='JavaScript'
function buildMediaPlayer(strURL){
var strObjectText;
strObjectText = "<OBJECT ID='mediaPlayer' ";
strObjectText = strObjectText + "CLASSID='CLSID:22d6f312-b0f6-11d0-94ab-0080c74c7e95' Height='457' Width='609' ";
strObjectText = strObjectText + "CODEBASE='http://activex.microsoft.com/activex/controls/mplayer/en/nsmp2inf.cab#Version=5,1,52,701'";
strObjectText = strObjectText + "STANDBY=''";
strObjectText = strObjectText + "TYPE='application/x-oleobject' >";
strObjectText = strObjectText + "<PARAM NAME='showControls' VALUE='false'> ";
strObjectText = strObjectText + "<PARAM NAME='Loop' VALUE='true'>"
strObjectText = strObjectText + "<PARAM NAME='animationatStart' VALUE='false'> ";
strObjectText = strObjectText + "<PARAM NAME='transparentatStart' VALUE='true'> ";
strObjectText = strObjectText + "<PARAM NAME='autoStart' VALUE='true'>";
strObjectText = strObjectText + "<PARAM name='FileName' value='";
strObjectText = strObjectText + strURL + "'>"
strObjectText = strObjectText + "</OBJECT>";

return strObjectText;
}</SCRIPT
BODY
DIV ID="MediaDiv"
<P ID="Media"
/DIV
SCRIPT LANGUAGE='JavaScript'
Media.innerHTML = buildMediaPlayer("airplaneproc.mpg");
/SCRIPT
/BODY></HTML


However this works just fine, unfortunately not usable:

HTML
BODY
OBJECT ID='mediaPlayer'
CLASSID='CLSID:22d6f312-b0f6-11d0-94ab-0080c74c7e95'
Height='457' Width='609'
CODEBASE='http://activex.microsoft.com/activex/controls/mplayer/en/nsmp2inf.cab#Version=5,1,52,701' STANDBY='' TYPE='application/x-oleobject'
<PARAM NAME='showControls' VALUE='false'
<PARAM NAME='Loop' VALUE='true'
<PARAM NAME='animationatStart' VALUE='false'
<PARAM NAME='transparentatStart' VALUE='true'
<PARAM NAME='autoStart' VALUE='true'
<PARAM name='FileName' value='airplaneproc.mpg'
/OBJECT
/BODY></HTML

Any help, pointers, tips greatly appreciated

keith


Back to top
Neil Smith [MVP Digital M
Guest
Posted: Fri Jul 02, 2004 10:38 pm    Post subject: Re: Javascript and security Reply with quote
This line is giong to cause a javascript error. You must test these
things with error reporting turned on in your browser or your scripts
will fail to run silently :

Quote:
strObjectText = strObjectText + "STANDBY=''";

You need a single closing quote, not two. This is a javascript syntax
error. There may be others. Please debug your code before posting,

Cheers - Neil

On Thu, 1 Jul 2004 18:30:02 -0700, kdt <kdt@discussions.microsoft.com>
wrote:

Quote:
Hi.

For arcane reasons I'm builing a player in javascript, then using dynamic html to sometimes write the player. It works just fine here, but on our clients machine it refuses to load the media. It builds the player, but there is no file loaded - right click and no properties in the popup menu.

I'm really stuck - it must be a security issue, but what. They are running XP Pro, which is one of the systems I'm testing it on here, but I can't seem to get it to work.
I've been through they's settings - everything is running locally on the machine using IE in Kiosk Mode, so no network, internet, cross platform or conectivity issues.

The file plays fine inside a stand alone windows media player, or when I directly write the object tag without the javascript.

Here's the code boiled down:
HTML
SCRIPT language='JavaScript'
function buildMediaPlayer(strURL){
var strObjectText;
strObjectText = "<OBJECT ID='mediaPlayer' ";
strObjectText = strObjectText + "CLASSID='CLSID:22d6f312-b0f6-11d0-94ab-0080c74c7e95' Height='457' Width='609' ";
strObjectText = strObjectText + "CODEBASE='http://activex.microsoft.com/activex/controls/mplayer/en/nsmp2inf.cab#Version=5,1,52,701'";
strObjectText = strObjectText + "STANDBY=''";
strObjectText = strObjectText + "TYPE='application/x-oleobject' >";
strObjectText = strObjectText + "<PARAM NAME='showControls' VALUE='false'> ";
strObjectText = strObjectText + "<PARAM NAME='Loop' VALUE='true'>"
strObjectText = strObjectText + "<PARAM NAME='animationatStart' VALUE='false'> ";
strObjectText = strObjectText + "<PARAM NAME='transparentatStart' VALUE='true'> ";
strObjectText = strObjectText + "<PARAM NAME='autoStart' VALUE='true'>";
strObjectText = strObjectText + "<PARAM name='FileName' value='";
strObjectText = strObjectText + strURL + "'>"
strObjectText = strObjectText + "</OBJECT>";

return strObjectText;
}</SCRIPT
BODY
DIV ID="MediaDiv"
<P ID="Media"
/DIV
SCRIPT LANGUAGE='JavaScript'
Media.innerHTML = buildMediaPlayer("airplaneproc.mpg");
/SCRIPT
/BODY></HTML


However this works just fine, unfortunately not usable:

HTML
BODY
OBJECT ID='mediaPlayer'
CLASSID='CLSID:22d6f312-b0f6-11d0-94ab-0080c74c7e95'
Height='457' Width='609'
CODEBASE='http://activex.microsoft.com/activex/controls/mplayer/en/nsmp2inf.cab#Version=5,1,52,701' STANDBY='' TYPE='application/x-oleobject'
<PARAM NAME='showControls' VALUE='false'
<PARAM NAME='Loop' VALUE='true'
<PARAM NAME='animationatStart' VALUE='false'
<PARAM NAME='transparentatStart' VALUE='true'
<PARAM NAME='autoStart' VALUE='true'
<PARAM name='FileName' value='airplaneproc.mpg'
/OBJECT
/BODY></HTML

Any help, pointers, tips greatly appreciated

keith
Back to top
kdt
Guest
Posted: Sat Jul 03, 2004 12:27 am    Post subject: Re: Javascript and security Reply with quote
"Neil Smith [MVP Digital Media]" wrote:

Quote:
This line is giong to cause a javascript error. You must test these
things with error reporting turned on in your browser or your scripts
will fail to run silently :

strObjectText = strObjectText + "STANDBY=''";

You need a single closing quote, not two. This is a javascript syntax
error. There may be others. Please debug your code before posting,

Actually this is correct syntax. I have error reporting turned on. It adds an empty string value to the STANDBY parameter - STANDBY=' ' (I added a space here to be more clear)

The string that gets assigned to variable strObjectText is
"<OBJECT ID='mediaPlayer' CLASSID='cut' Height='457' Width='609' CODEBASE='cut' STANDBY='' TYPE='application/x-oleobject' .....etc

It's just broken down into bite size chunks seperated with '+' to make it easier to edit in notepad.

If you think the syntax is still wrong, I'd like to know what the trouible is.

Anyway, upgrading to Windows Media Player 9 made the code work. No syntax errors.

Anyway, I do appreciate your response. Thanks.

Keith
Back to top
kdt
Guest
Posted: Sat Jul 03, 2004 12:32 am    Post subject: Re: Javascript and security Reply with quote
"Neil Smith [MVP Digital Media]" wrote:

Quote:
Are you using an xhtml declaration on this document ?
You cannot set innerHTML to a tag pair without closing the tag :

DIV ID="MediaDiv"
<P ID="Media"
/DIV
SCRIPT LANGUAGE='JavaScript'
Media.innerHTML = buildMediaPlayer("airplaneproc.mpg");
/SCRIPT

It's just not valid XHTML (or even, valid HTML !)

Cheers - Neil

Just using strait HTML.

Are you referring to the paragraph tag not being closed? (the div and script tags are). I can certainly do that. Sorry, this is a new tag for me and dynamic html is a learning experience.

Upgrading to Windows Media 9 fixed the problem and it works now on the one machine where it must.

Thank you for your response.

Keith
Back to top
Neil Smith [MVP Digital M
Guest
Posted: Sat Jul 03, 2004 3:01 pm    Post subject: Re: Javascript and security Reply with quote
On Fri, 2 Jul 2004 13:27:01 -0700, kdt <kdt@discussions.microsoft.com>
wrote:

Quote:
"Neil Smith [MVP Digital Media]" wrote:

This line is giong to cause a javascript error. You must test these
things with error reporting turned on in your browser or your scripts
will fail to run silently :

strObjectText = strObjectText + "STANDBY= ' ' " ;

You need a single closing quote, not two. This is a javascript syntax
error. There may be others. Please debug your code before posting,

Actually this is correct syntax. I have error reporting turned on. It adds an empty string value to the STANDBY parameter - STANDBY=' ' (I added a space here to be more clear)

Yes, sorry you're right (once I checked again) !

It's always difficult to match these single/double quotes in
javascript I geuss I was thrown cause I habitually use single quotes
to enclose strings and double quotes for HTML attributes although
thats only preference sometimes it's possible to get em the wrong way
round ;-)

Apologies for any misleading comment, glad you got it working.

Cheers - Neil
Back to top
 
Post new topic   Reply to topic    WMPTalk.com Forum Index -> Windows Media on Web All times are GMT
Page 1 of 1

 
 You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



Microsoft Office Forum New Topics
Powered by phpBB