|
|
ActiveX And VBScript |
The material discussed in this section applies to Microsoft's Internet Explorer only, and is not actually part of any true internet standard at all. This is in part because ActiveX and VBScript are proprietary Microsoft software. However, it is mainly because ActiveX and VBScript rely upon direct calls to the MS-Windows API, and are thus completely incapable of running on any platform other than Windows. Web browsers other than Internet Explorer tend to try for platform independance, so that they can have versions running on multiple platforms, such as X-Windows, Macintosh, or BeOS, and platform-dependant features such as ActiveX and VBScript would run counter to that philosophy.
ActiveX was initially released onto the WWW as a "replacement" for Java applets in web pages, with the intention that all active content on websites would be done in ActiveX instead of Java, thus securing market share for Microsoft. It was not however, originally created for use on the World Wide Web.
Actually, all that ActiveX really is, is a brand name which Microsoft applied to things that use their Object Linking and Embedding (OLE) compound document technology when it is applied on your system, to make it more marketable, and to differentiate it from pure OLE. ActiveX is not simply limited to use in Web pages in the way that JavaScript is, nor even just to embedding things into documents. Instead, it is used in many different areas of the OS and applications on the Windows platform. There are only two major parts of it which someone developing web pages needs to concern themselves with. The first, is how to embed already existing objects into HTML documents, and the second is how to create new objects, and embed them into an HTML document, so that they will be downloaded to the viewer's system to be used.
There are, admittedly, many things in ActiveX which can be quite usefull to place on a web page, and as long as you keep in mind that only 35% or less of the people viewing your page will see them, there's no problem. When you use an ActiveX object, the syntax is very similar to when you use a Java Applet - you open the <object > tag, using it to specify what object should be used, and then you place a number of <PARAM > tags inside of it to send data to the object being opened, and then you close it. An example would look like this:
The first line is fairly easy - it's an object tag, and it's being given an ID so that scripts will be able to access it later on. The second line, however, is a bit more cryptic - it's a special ActiveX identifier which tells Internet Explorer which OLE object to embed into the page. Unfortunately, there is no simplified way of typing in the classid, and you have to make absolutely sure you get the whole thing right - otherwise, you could load the wrong object, and do something you weren't planning to do.
Next, the <PARAM> tags tell the newly embedded object the information it wants to start up. In the case of the object above, it includes a URL to get data from, and information on how to process that data. In the case of some of the graphics and multimedia ActiveX objects, you would give drawing and/or placement commands as parameters to the object instead. All of the parameters will have their own unique name and a value assigned to them. Internet Explorer then starts up the Object, feeds it the given data, and lets it run.
In order to access any given object with ActiveX, all you really need to know is the CLASSID that is associated with it, and what parameters it needs. Unfortunately, finding that information can be a bit of a challenge. At one time Microsoft provided a page listing the classids of all of the ActiveX Objects, but that page seems to have been removed at this time.
Sometimes you may want to do something with ActiveX, and you'll find that there is currently no existing ActiveX object which performs the task you want. Microsoft has thoughtfully provided a solution to this for you, by allowing you to create your own ActiveX objects, compile them, and include them into your web page. The problem with this, however, is that there is absolutely no limit on what parts of the viewer's computer those new objects you create can access. Thus, you can accidentally delete a viewer's files, format their hard drive, or even turn off their computer, all from your web page if you are not carefull of what you do. Numerous tools are available, both from Microsoft themselves, and from other companies which will allow you to write OLE objects to be included in a web page, and those tools would give you the classid which you need to embed your code into a web page.
To embed your new code into a web page (after you've tested it extensively!!!!) you would again use the object tag, this time with an additional parameter, which will look familiar to people who have used Java Applets in their web pages: CODEBASE. Thus, if you had a new ActiveX object to include in a page, your HTML code might look something like this:
Over the years since ActiveX was introduced, many complaints have been made over the lack of security it faces, leading to the fact that modern releases of Internet Explorer typically disable nearly all ActiveX content in web pages unless the user explicitly enables them, and in some cases also disable things that should not involve ActiveX (including many Javascript commands) claiming that they are potentially harmful to the user's computer.
VBScript is a scripting language introduced by Microsoft initially to compete with Netscape's JavaScript. Later, Microsoft added support for VBScript into most of their other applications like Office, Outlook, and other things. Unfortunately, when Microsoft designed VBScript, they decided to choose functionality over security, and created a large number of security problems. Essentially, VBScript is just visual basic code, interpreted by an application. This means that VBScript can do anything that a regular application can do on your machine. (Somewhat like the problem with ActiveX, but easier to implement.)
VBScript itself is not actually run by the web browser, but rather it is passed from the browser to a section of the Windows operating system called the Windows Scripting Host, which then interprets and executes the script, returning it's results back to the browser. This Windows Scripting Host is the same feature of the Windows operating system which is used to embed VBScript into Word Documents, Excell Spreadsheets, and mail sent through MS-Outlook or MS-Outlook Express.
VBScript has many of the same security flaws as ActiveX, but it has gained considerably more fame for it's flaws - VBScript is what is responsible for all of the various Macro Virii which have been heard of infecting Word Documents, Excell Spreadsheets, and email. One of the earliest widespread examples was the Melissa Virus, which infected MS word documents and spread worldwide by emailing a copy of itself to everyone in your addressbook when it was opened in MS-Word by the recipient. Later, the infamous ILOVEYOU virus removed one step from the process, and you merely had to read the mail with Outlook to allow it to spread itself. Then, numerous Copycat virii began appearing which mimic the behaviour of the ILOVEYOU virus, but change their names with each re-sending, to confuse victims into continuing to open them. While other languages are still used for writing virii, the majority of the virii currently active on the internet are built using VBScript, due to the fact that nearly every Microsoft program in existance will execute VBScript code. Though most of these virii travel by email, it is still possible for them to infect a system through the Internet Explorer web browser unless you have disabled it in the browser.
How can you protext yourself from these virii? The easiest way is to disable the Windows Scripting Host on your computer, so that they cannot run at all. You can find instructions on how at http://www.datafellows.com/virus-info/u-vbs/uninstall-vbs.html. Generally, this problem only affects older Windows computers, and Windows computers without up to date Virus Scanners.
There is a problem with taking this route, however - just because there are many hostile VBScript programs out there, does not mean that all of them are negative. For example, if you have a spreadsheet in Excell which performs complec calculations for you, there is a good chance that some part of those calculations rely upon VBScript, and removing the Windows Scripting Host will break those spreadsheets.