Solved

How can I make activeXObject safe for scripting in VBA?

Posted on 2014-02-02
10
777 Views
Last Modified: 2014-02-07
I have a PowerPoint macro with a webBrowser control that contains a JavaScript function which has the line: "var APP = new activeXObject('PowerPoint.Application'); in it.  If IE has its security settings for "Initialize and script ActiveXcontrols not marked as safe for scripting" as disabled, you will get the "Automation Server can't create object" error.

I need to create the PowerPoint object so I can send information from the webBrowser control to the VBA program.  It calls a function in a module with: App.run('PPTupload!JavascriptConnector') where the JavascriptConnector is the name of the function.

Many of the people who would use this macro have their browsers locked down so they wouldn't be able to change the ActiveX control security setting.  So, I would like to know if there is a way to make the JavaScript code in the webBrowser control safe for scripting?
0
Comment
Question by:StarDusterII
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 3
10 Comments
 
LVL 27

Expert Comment

by:MacroShadow
ID: 39828841
0
 
LVL 27

Expert Comment

by:MacroShadow
ID: 39828844
I found omissions and mistakes in this article that I have corrected for presentation in this article. Basically, all that needs to be done is to add code to the DllRegisterServer and DllUnregisterServer methods. The following is a step-by-step guide for making your ActiveX control safe:
http://www.codeproject.com/Articles/14533/A-Complete-ActiveX-Web-Control-Tutorial
0
 

Author Comment

by:StarDusterII
ID: 39835509
Problem is... it's not an activeX control.   It's Javascript embedded in a webBrowser control in a PowerPoint VBA.  As I said in the original post, when the line " "var APP = new activeXObject('PowerPoint.Application'); " is reached in Javascript, I get the error.  The sequence is:

- In PowerPoint vba, put an html page in webBrowser control
- html page contains javascript with the call activeXObject to create a PPT object
- javascript function with that call to activeXobject is called by event in webBrowser
- error happens then

I'm bascially callling a function in my PowerPoint vba from the javascript function in the webBrowser control.
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 27

Expert Comment

by:MacroShadow
ID: 39835578
var APP = new activeXObject('PowerPoint.Application');

Open in new window

should read
var APP = new activeXObject("PowerPoint.Application");

Open in new window


and
App.run('PPTupload!JavascriptConnector')

Open in new window

should read
App.run("JavascriptConnector")

Open in new window

0
 
LVL 13

Accepted Solution

by:
John Mc Hale earned 500 total points
ID: 39837153
Hi StarDusterII,

The CLSID for PowerPoint.Application is {91493441-5A91-11CF-8700-00AA0060263B}
If you search the Winows Registry Hive Subkey HKEY_CLASSES_ROOT\CLSID for this value you will note that this Subkey only has an InprocServer32 Subkey. This in essence means that "PowerPoint.Application" is inherently unsafe for scripting.

According to any documentation i've read on this topic, for an ActiveX control to be marked "safe for scripting"; it must have the Implemented Category "CATID_SafeForScripting" {7DD95801-9882-11CF-9FA9-00AA006C42C4}, and possibly also  "CATID_SafeForInitializing" {7DD95802-9882-11CF-9FA9-00AA006C42C4}.

Since PowerPoint.Application has neither of these, it can neither be initialized of scripted safely from untrusted code.

I'm not suggesting you do this as you will be enabling Microsoft PowerPoint to do something it was clearly intended not to allow, but you could manually include these entries under the subkey HKEY_CLASSES_ROOT\CLSID\{91493443-5A91-11CF-8700-00AA0060263B}.

(1). Create a new key under the subkey, named Implemented Categories
(2). Under the key Implemented Categories, create a new key named {7DD95801-9882-11CF-9FA9-00AA006C42C4} with not value.
(3). If necessary under the key Implemented Categories, create a new key named {7DD95802-9882-11CF-9FA9-00AA006C42C4}; once again with no value.

I haven't tried this myself because I have no situation that requires me to script  a PowerPoint.Application component; but this should give you an indication as to whether or not this strategy will work. Bear in mind, however, that this could leave PowerPoint vunerable to attack from a PowerPoint presentation file containing malicious code.

Best of luck.
0
 

Author Comment

by:StarDusterII
ID: 39840393
fredthered, interesting... I've thought about that too.  Unfortunately, while I could do that, I couldn't expect all the "real" users would be able to change their registry.  In fact, it's locked down for most of them.  I'll try it when I have time just to see if it works.
0
 

Author Comment

by:StarDusterII
ID: 39840413
MacroShadow, bit of a stretch thiking that was going to get rid of the safe for scripting errors, but I gave it a go anyway.  No change in the error.  I think fredthered might have the answer... which is basically, no way given my situation with the inability to change code.
0
 
LVL 13

Expert Comment

by:John Mc Hale
ID: 39840856
StarDusterII,

I think this MSDN article provides some useful information on designing ActiveX controls that are safe for scripting and initialization.

Just a thought; but if you knew a fairly decent C++ coder that could develop a simple wrapper control which would create an instance of PowerPoint.Application, implement the features necessary to make the control safe for scripting/initialization, and return an interface pointer to the "wrapped" PowerPoint.Application object?

Regards.
0
 
LVL 13

Expert Comment

by:John Mc Hale
ID: 39840869
Sorry for re-posting a link to an article that MacroShadow has already highlighted :<
0
 

Author Closing Comment

by:StarDusterII
ID: 39842358
Looks like no way to inherently make the code safe for scripting.  This would essentially do it but is unfortunately not possible for my particular situation.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Access developers frequently have requirements to interact with Excel (import from or output to) in their applications.  You might be able to accomplish this with the TransferSpreadsheet and OutputTo methods, but in this series of articles I will di…
Ever visit a website where you spotted a really cool looking Font, yet couldn't figure out which font family it belonged to, or how to get a copy of it for your own use? This article explains the process of doing exactly that, as well as showing how…
The viewer will learn how to  create a slide that will launch other presentations in Microsoft PowerPoint. In the finished slide, each item launches a new PowerPoint presentation and when each is finished it automatically comes back to this slide: …
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question