How to protect HTML code that is displayed inside a CHtmlView

Posted on 2003-03-11
Medium Priority
Last Modified: 2013-11-20

A friend of mine wants to protect webpages. He wants to block access to the HTML code of displayed webpages.

For this purpose he created a program that uses CHtmlView to show webpages and wants to create a second thread that basicall constantly checks if the surroundings are "safe". As soon as an attack on the HTML code is detected, the displayed web-page would be removed.

Now I know it is fairly easy to attach to a running instance of IE or use browser helper objects or other methods to gain access to the insides of IE and there is always the cache-problem too.

So my question:

Does anybody have suggestions

a)  how to reliably turn off caching of the loaded pages?

b)  how to check for code-sniffing browser-helper objects before and during the display of the pages
    (and just close the webpage if an "attack" is detected).  Is there an enumeration function that
    gives a list of the installed helper objects?  Is there an instance counter that we could use
    to detect if somebody tries to connect to our IE ?

c)  suggestions for other attacks to get the source-code?  (Don't worry about the transport between
    the server and the user's machine. That is being done encrypted.  The problem starts once
    the IE instance renders the web-page.) So do you know of other ways to get to the HTML code?

And lastly your take on how probable it is that my friend can shut down all loopholes so that access
to the HTML-code is made VERY tough (read: is restricted to very sophisticated and clever hackers).

Thank you all for your help!

Kind regards

Question by:rhoepperger
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
LVL 12

Expert Comment

ID: 8112931

  Have you tried generating all html code from inside a .js (javascript) file. When the html source is viewed all that the user sees is something like

 include "mypage.js"

 OnLoad ( "GeneratePage" )

 Would have to look up my Javascript book, been a while.


Author Comment

ID: 8114204
Williamcampbell, thank you for your tip, but the problem is, EVENTUALLY the Internet Explorer that renders the page knows the complete HTML code.  And that code is stored inside the "Document" object and can be read out by some other program or hacker.

Your tip helps against normal users, but not against programmers who can deal with Browser helper objects and other stuff like that.

But thank you for your tip.


Accepted Solution

keitha1 earned 200 total points
ID: 8134798
If know the events and elements that you want to protect, then you can just create an IDispatch derived class that performs the desired action.

Assume you are interested in hiding some action that is performed on a mouse_over event for a particular element.

You would create a class as follows:

class CMouseOverEventSink : public IDispatch
// In the Evoke override, add your secret action code

Then declare an instance of the interface
CMouseOverEventSink moSink;

Then after obtaining the interface to the desired element (by walking the IHTMLDocument2 element collection) you would vector the mouse_over event to your new handler like so

v.pdispVal = (IDispatch*) &moSink;
hresult = pElem->put_onmouseover (v);

Now, if someone tries to do a get_onmouseoever, all they will see is a pointer to some IDispatch.

Hope that helps

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 12

Expert Comment

ID: 8138243

  1) There is a Meta Tag called CACHE (maybe UPDATECAHCE)which when set to zero will stop IE Caching the page.

  I don't see how a programmer could get to the Document object inside IE. Unless they intercepted the Encryped HTML before it gets to IE inserted a function into OnLoad that gives them access to doc. But by then they already have the HTML.

  Is there an Interface for querying an instance of IExplore.exe for its document object structure?


Author Comment

ID: 8139660
there are browser helper objects,  running program tables and all kinds of other stuff how to connect to a running instance of IE.  And as soon as the connection is made you can access the HTML code from the inside.   THAT should be prevented if possible!

your answer is VERY VERY interesting!  But unfortunately I am not a COM programmer (I just have some working knowledge of it).  Is there a way that you could elaborate your answer a bit?  It is not some event that I need to conceal but simply access to the document object should be restricted by running it through some of my own code.
How would I do that?   Would you be able to write something like this for me and I pay you through PayPal or so?  If so, please contact me at office@hope-soft.co.at
I believe we are on the right track with your answer.
I very much look forward to hearing more about that.



Expert Comment

ID: 8160875
Ok, what you want can be boiled down to basically the holy grail of security. There is no way to absolutely protect the document. On the bright side, I am going to mail you a little program I wrote that mimics IE (using a CHtmlView class). It walks the document through the DOM interface and revectors certain events to use a custom IDispatch rolled event.

This program is a good example of what a programmer can do with your document. If they can simply aquire your document through an http request, then they can use their own custom browser to do just about anything they want.

I'll give instructions in the email.

Author Comment

ID: 8162167
Hello Keith,

Thanks a LOT for your generous help!  This is awesome. And I already sent you private email.

Thanks a lot!

Expert Comment

ID: 11628059
I would very much like to accept Keith's answer.  Thank you VERY much for it Keith.  

Dan, please accept Keith's answer for me as I do not see the "Accept answer" buttons (don't know why).

Thanks a lot to both of you!

Kind regards

Expert Comment

ID: 11800661
Hi Dan,

My name in Austria is Höpperger which in English can be represented as hoepperger or hopperger.  As experts-exchange did not allow umlauts, I used rhoepperger while I was still living in Europe.  I moved to America 4 years ago and here my name is Hopperger and so I used rhopperger as my username.   That's probably how this two account-scenario happened.

Anyway,  I CAN log on as rhopperger (the newer account) but no matter what I try, I CANNOT log on as rhoepperger.  I get a weird error page (SQL errors and such...) if I try.

So I have no means of loging on as rhoepperger and also cannot give anybody the points for the answer.
As I cannot log onto the site as rhoepperger anyway, there will also be no more problem in the future.  The few questions that are still open as rhoepperger will be closed soon and every new question will be under rhopperger.

Please deal with the question as you see fit.   Thanks.

Kind regards

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction: Load and Save to file, Document-View interaction inside the SDI. Continuing from the second article about sudoku.   Open the project in visual studio. From the class view select CSudokuDoc and double click to open the header …
Introduction: Database storage, where is the exe actually on the disc? Playing a game selected randomly (how to generate random numbers).  Error trapping with try..catch to help the code run even if something goes wrong. Continuing from the seve…
This video will show you how to get GIT to work in Eclipse.   It will walk you through how to install the EGit plugin in eclipse and how to checkout an existing repository.
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question