How can I make activeXObject safe for scripting in VBA?

I have a PowerPoint macro with a webBrowser control that contains a JavaScript function which has the line: "var APP = new activeXObject('PowerPoint.Application'); in it.  If IE has its security settings for "Initialize and script ActiveXcontrols not marked as safe for scripting" as disabled, you will get the "Automation Server can't create object" error.

I need to create the PowerPoint object so I can send information from the webBrowser control to the VBA program.  It calls a function in a module with: App.run('PPTupload!JavascriptConnector') where the JavascriptConnector is the name of the function.

Many of the people who would use this macro have their browsers locked down so they wouldn't be able to change the ActiveX control security setting.  So, I would like to know if there is a way to make the JavaScript code in the webBrowser control safe for scripting?
StarDusterIIAsked:
Who is Participating?
 
John Mc HaleConnect With a Mentor Forensic Computer Examiner, Analyst/Programmer & Database ArchitectCommented:
Hi StarDusterII,

The CLSID for PowerPoint.Application is {91493441-5A91-11CF-8700-00AA0060263B}
If you search the Winows Registry Hive Subkey HKEY_CLASSES_ROOT\CLSID for this value you will note that this Subkey only has an InprocServer32 Subkey. This in essence means that "PowerPoint.Application" is inherently unsafe for scripting.

According to any documentation i've read on this topic, for an ActiveX control to be marked "safe for scripting"; it must have the Implemented Category "CATID_SafeForScripting" {7DD95801-9882-11CF-9FA9-00AA006C42C4}, and possibly also  "CATID_SafeForInitializing" {7DD95802-9882-11CF-9FA9-00AA006C42C4}.

Since PowerPoint.Application has neither of these, it can neither be initialized of scripted safely from untrusted code.

I'm not suggesting you do this as you will be enabling Microsoft PowerPoint to do something it was clearly intended not to allow, but you could manually include these entries under the subkey HKEY_CLASSES_ROOT\CLSID\{91493443-5A91-11CF-8700-00AA0060263B}.

(1). Create a new key under the subkey, named Implemented Categories
(2). Under the key Implemented Categories, create a new key named {7DD95801-9882-11CF-9FA9-00AA006C42C4} with not value.
(3). If necessary under the key Implemented Categories, create a new key named {7DD95802-9882-11CF-9FA9-00AA006C42C4}; once again with no value.

I haven't tried this myself because I have no situation that requires me to script  a PowerPoint.Application component; but this should give you an indication as to whether or not this strategy will work. Bear in mind, however, that this could leave PowerPoint vunerable to attack from a PowerPoint presentation file containing malicious code.

Best of luck.
0
 
MacroShadowCommented:
0
 
MacroShadowCommented:
I found omissions and mistakes in this article that I have corrected for presentation in this article. Basically, all that needs to be done is to add code to the DllRegisterServer and DllUnregisterServer methods. The following is a step-by-step guide for making your ActiveX control safe:
http://www.codeproject.com/Articles/14533/A-Complete-ActiveX-Web-Control-Tutorial
0
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
StarDusterIIAuthor Commented:
Problem is... it's not an activeX control.   It's Javascript embedded in a webBrowser control in a PowerPoint VBA.  As I said in the original post, when the line " "var APP = new activeXObject('PowerPoint.Application'); " is reached in Javascript, I get the error.  The sequence is:

- In PowerPoint vba, put an html page in webBrowser control
- html page contains javascript with the call activeXObject to create a PPT object
- javascript function with that call to activeXobject is called by event in webBrowser
- error happens then

I'm bascially callling a function in my PowerPoint vba from the javascript function in the webBrowser control.
0
 
MacroShadowCommented:
var APP = new activeXObject('PowerPoint.Application');

Open in new window

should read
var APP = new activeXObject("PowerPoint.Application");

Open in new window


and
App.run('PPTupload!JavascriptConnector')

Open in new window

should read
App.run("JavascriptConnector")

Open in new window

0
 
StarDusterIIAuthor Commented:
fredthered, interesting... I've thought about that too.  Unfortunately, while I could do that, I couldn't expect all the "real" users would be able to change their registry.  In fact, it's locked down for most of them.  I'll try it when I have time just to see if it works.
0
 
StarDusterIIAuthor Commented:
MacroShadow, bit of a stretch thiking that was going to get rid of the safe for scripting errors, but I gave it a go anyway.  No change in the error.  I think fredthered might have the answer... which is basically, no way given my situation with the inability to change code.
0
 
John Mc HaleForensic Computer Examiner, Analyst/Programmer & Database ArchitectCommented:
StarDusterII,

I think this MSDN article provides some useful information on designing ActiveX controls that are safe for scripting and initialization.

Just a thought; but if you knew a fairly decent C++ coder that could develop a simple wrapper control which would create an instance of PowerPoint.Application, implement the features necessary to make the control safe for scripting/initialization, and return an interface pointer to the "wrapped" PowerPoint.Application object?

Regards.
0
 
John Mc HaleForensic Computer Examiner, Analyst/Programmer & Database ArchitectCommented:
Sorry for re-posting a link to an article that MacroShadow has already highlighted :<
0
 
StarDusterIIAuthor Commented:
Looks like no way to inherently make the code safe for scripting.  This would essentially do it but is unfortunately not possible for my particular situation.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.