Solved

How can I make activeXObject safe for scripting in VBA?

Posted on 2014-02-02
10
714 Views
Last Modified: 2014-02-07
I have a PowerPoint macro with a webBrowser control that contains a JavaScript function which has the line: "var APP = new activeXObject('PowerPoint.Application'); in it.  If IE has its security settings for "Initialize and script ActiveXcontrols not marked as safe for scripting" as disabled, you will get the "Automation Server can't create object" error.

I need to create the PowerPoint object so I can send information from the webBrowser control to the VBA program.  It calls a function in a module with: App.run('PPTupload!JavascriptConnector') where the JavascriptConnector is the name of the function.

Many of the people who would use this macro have their browsers locked down so they wouldn't be able to change the ActiveX control security setting.  So, I would like to know if there is a way to make the JavaScript code in the webBrowser control safe for scripting?
0
Comment
Question by:StarDusterII
  • 4
  • 3
  • 3
10 Comments
 
LVL 26

Expert Comment

by:MacroShadow
ID: 39828841
0
 
LVL 26

Expert Comment

by:MacroShadow
ID: 39828844
I found omissions and mistakes in this article that I have corrected for presentation in this article. Basically, all that needs to be done is to add code to the DllRegisterServer and DllUnregisterServer methods. The following is a step-by-step guide for making your ActiveX control safe:
http://www.codeproject.com/Articles/14533/A-Complete-ActiveX-Web-Control-Tutorial
0
 

Author Comment

by:StarDusterII
ID: 39835509
Problem is... it's not an activeX control.   It's Javascript embedded in a webBrowser control in a PowerPoint VBA.  As I said in the original post, when the line " "var APP = new activeXObject('PowerPoint.Application'); " is reached in Javascript, I get the error.  The sequence is:

- In PowerPoint vba, put an html page in webBrowser control
- html page contains javascript with the call activeXObject to create a PPT object
- javascript function with that call to activeXobject is called by event in webBrowser
- error happens then

I'm bascially callling a function in my PowerPoint vba from the javascript function in the webBrowser control.
0
 
LVL 26

Expert Comment

by:MacroShadow
ID: 39835578
var APP = new activeXObject('PowerPoint.Application');

Open in new window

should read
var APP = new activeXObject("PowerPoint.Application");

Open in new window


and
App.run('PPTupload!JavascriptConnector')

Open in new window

should read
App.run("JavascriptConnector")

Open in new window

0
 
LVL 13

Accepted Solution

by:
John Mc Hale earned 500 total points
ID: 39837153
Hi StarDusterII,

The CLSID for PowerPoint.Application is {91493441-5A91-11CF-8700-00AA0060263B}
If you search the Winows Registry Hive Subkey HKEY_CLASSES_ROOT\CLSID for this value you will note that this Subkey only has an InprocServer32 Subkey. This in essence means that "PowerPoint.Application" is inherently unsafe for scripting.

According to any documentation i've read on this topic, for an ActiveX control to be marked "safe for scripting"; it must have the Implemented Category "CATID_SafeForScripting" {7DD95801-9882-11CF-9FA9-00AA006C42C4}, and possibly also  "CATID_SafeForInitializing" {7DD95802-9882-11CF-9FA9-00AA006C42C4}.

Since PowerPoint.Application has neither of these, it can neither be initialized of scripted safely from untrusted code.

I'm not suggesting you do this as you will be enabling Microsoft PowerPoint to do something it was clearly intended not to allow, but you could manually include these entries under the subkey HKEY_CLASSES_ROOT\CLSID\{91493443-5A91-11CF-8700-00AA0060263B}.

(1). Create a new key under the subkey, named Implemented Categories
(2). Under the key Implemented Categories, create a new key named {7DD95801-9882-11CF-9FA9-00AA006C42C4} with not value.
(3). If necessary under the key Implemented Categories, create a new key named {7DD95802-9882-11CF-9FA9-00AA006C42C4}; once again with no value.

I haven't tried this myself because I have no situation that requires me to script  a PowerPoint.Application component; but this should give you an indication as to whether or not this strategy will work. Bear in mind, however, that this could leave PowerPoint vunerable to attack from a PowerPoint presentation file containing malicious code.

Best of luck.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:StarDusterII
ID: 39840393
fredthered, interesting... I've thought about that too.  Unfortunately, while I could do that, I couldn't expect all the "real" users would be able to change their registry.  In fact, it's locked down for most of them.  I'll try it when I have time just to see if it works.
0
 

Author Comment

by:StarDusterII
ID: 39840413
MacroShadow, bit of a stretch thiking that was going to get rid of the safe for scripting errors, but I gave it a go anyway.  No change in the error.  I think fredthered might have the answer... which is basically, no way given my situation with the inability to change code.
0
 
LVL 13

Expert Comment

by:John Mc Hale
ID: 39840856
StarDusterII,

I think this MSDN article provides some useful information on designing ActiveX controls that are safe for scripting and initialization.

Just a thought; but if you knew a fairly decent C++ coder that could develop a simple wrapper control which would create an instance of PowerPoint.Application, implement the features necessary to make the control safe for scripting/initialization, and return an interface pointer to the "wrapped" PowerPoint.Application object?

Regards.
0
 
LVL 13

Expert Comment

by:John Mc Hale
ID: 39840869
Sorry for re-posting a link to an article that MacroShadow has already highlighted :<
0
 

Author Closing Comment

by:StarDusterII
ID: 39842358
Looks like no way to inherently make the code safe for scripting.  This would essentially do it but is unfortunately not possible for my particular situation.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

The new Microsoft OS looks great, is easier than ever to upgrade to, it is even free.  So what's the catch?  If you don't change the privacy settings, Microsoft will, in accordance with the (EULA) you clicked okay to without reading, collect all the…
This collection of functions covers all the normal rounding methods of just about any numeric value.
The viewer will learn how to simulate a series of coin tosses with the rand() function and learn how to make these “tosses” depend on a predetermined probability. Flipping Coins in Excel: Enter =RAND() into cell A2: Recalculate the random variable…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now