Rre: ActiveScriptRuby and Internet Explorer : WIN32OLE ole_methods limited?

ruby-talk
1

“Jerome Hauss” jhauss@gfi.fr wrote in message
news:150401c42d17$4eb0e4d0$032f10ac@WJHAUSS2

With Internet Explorer and ActiveScriptRuby, the ole_methods for an
Microsoft.XMLDOM object, does not show for instance the “load” method.

“Does not show” is not very descriptive.

And there’s a security error when I try the load.

What does “security error” mean?

Why should the load method be dangerous ?

I don’t know.

I would like to use RubyScript instead of JavaScript, but I cannot do
the same… Some solutions ?

Solutions to what? Please post some code.

(and calling WIN32OLE ole_get_methods or ole_func_methods stops
executing a RubyScript defined method…?)

That sounds possible - multithreading in Ruby is counterintuitive. I’m
not going to speculate further without seeing some code.

PS. Is it a bad idea to marshal and unmarshal objects sent between the
navigator and the server ?

What do you have in mind?

fyi, this works for me:

$ cat ./test.rb
#!/usr/bin/ruby
require ‘win32ole’
p xd = WIN32OLE.new(‘Microsoft.XMLDOM’)
puts ‘'*40
p xd.ole_obj_help
puts '’*40
p xd.ole_methods
puts ‘'*40
p xd.load(‘C:\Program Files\tv\xmltv-0.5.24-win32\guide.xml’)
puts '’*40
p xd.readyState
puts ‘_’*40
puts xd.lastChild.lastChild.text.inspect

$ ruby -v
ruby 1.8.0 (2003-08-04) [i386-mswin32]

$ ./test.rb
#WIN32OLE:0x100f5470

···

IXMLDOMDocument2

[QueryInterface, AddRef, Release, GetTypeInfoCount, GetTypeInfo,
GetIDsOfNames, Invoke, nodeName, nodeValue, nodeValue, nodeType,
parentNode, childNodes, firstChild, lastChild, previousSibling,
nextSibling, attributes, insertBefore, replaceChild, removeChild,
appendChild, hasChildNodes, ownerDocument, cloneNode, nodeTypeString,
text, text, specified, definition, nodeTypedValue, nodeTypedValue,
dataType, dataType, xml, transformNode, selectNodes, selectSingleNode,
parsed, namespaceURI, prefix, baseName, transformNodeToObject,
doctype, implementation, documentElement, createElement,
createDocumentFragment, createTextNode, createComment,
createCDATASection, createProcessingInstruction, createAttribute,
createEntityReference, getElementsByTagName, createNode, nodeFromID,
load,
readyState, parseError, url, async, async, abort, loadXML, save,
validateOnParse, validateOnParse, resolveExternals, resolveExternals,
preserveWhiteSpace, preserveWhiteSpace, onreadystatechange,
ondataavailable, ontransformnode, namespaces, schemas, validate,
setProperty, getProperty, GetTypeInfoCount, GetTypeInfo, GetIDsOfNames,
Invoke]

true

4

“Outside the Lines Nightly Sports Info”

2

Sorry for the lack of information, and thank you for your test.
It seems I have an IXMLDOMNode object and not IXMLDOMDocument as expected.

For instance this html document :

Ici Paris à vous Cognacq Jay

  • WIN32OLE.new : ok

  • ole_obj_help : it’s a IXMLDOMNode, but why ???

  • methods of WIN32OLE

  • ole_methods
    [AddRef, GetIDsOfNames, GetIDsOfNames, GetTypeInfo, GetTypeInfo,
    GetTypeInfoCount, GetTypeInfoCount, Invoke, Invoke, QueryInterface, Release,
    appendChild, attributes, baseName, childNodes, cloneNode, dataType,
    dataType, definition, firstChild, hasChildNodes, insertBefore, lastChild,
    namespaceURI, nextSibling, nodeName, nodeType, nodeTypeString,
    nodeTypedValue, nodeTypedValue, nodeValue, nodeValue, ownerDocument,
    parentNode, parsed, prefix, previousSibling, removeChild, replaceChild,
    selectNodes, selectSingleNode, specified, text, text, transformNode,
    transformNodeToObject, xml]
    Missing load, loadXML, documentElement, … but seems ok, since it’s a
    IXMLDOMNode

  • validateOnParse : no error

  • async : no error

  • load : there’s the following error
    Erreur : load
    OLE rb_compile_error:80070005 in msxml3.dll
    Accès refusé

    Une exception s’est produite
    Code : 512
    (translation : …access refused … an exception has occurred)

Other tests : (not listed)

  • xmlDoc.documentElement returns nil (logic)
  • xmlDoc.loadXML works fine, as well as xmlDoc.xml
  • if I try xmlDoc.transformNode (given two MSXML objects via loadXML),
    result ok if there is no script inside the xsl part, otherwise (even if I
    lower security to its minimum in IE6.0 SP1)
    Erreur : transformNode
    OLE rb_compile_error:80004005 in msxml3.dll
    Les paramètres de sécurité n’autorisent pas l’exécution de code de
    script au sein de cette feuille de style
    (translation : security parameters do not allow execution of script code
    inside this style sheet)

Windows2000, IE6.0 SP1, ActiveScriptRuby1.8

Greetings,
Jérôme HAUSS

Newsgroups: comp.lang.ruby

···

----- Original Message -----
From: “anon luker” hatespyware@yahoo.com
To: “ruby-talk ML” ruby-talk@ruby-lang.org
Sent: Thursday, April 29, 2004 1:34 AM
Subject: rre: ActiveScriptRuby and Internet Explorer : WIN32OLE ole_methods
limited?

“Jerome Hauss” jhauss@gfi.fr wrote in message
news:150401c42d17$4eb0e4d0$032f10ac@WJHAUSS2

With Internet Explorer and ActiveScriptRuby, the ole_methods for an
Microsoft.XMLDOM object, does not show for instance the “load” method.

“Does not show” is not very descriptive.

And there’s a security error when I try the load.

What does “security error” mean?

Why should the load method be dangerous ?

I don’t know.

I would like to use RubyScript instead of JavaScript, but I cannot do
the same… Some solutions ?

Solutions to what? Please post some code.

(and calling WIN32OLE ole_get_methods or ole_func_methods stops
executing a RubyScript defined method…?)

That sounds possible - multithreading in Ruby is counterintuitive. I’m
not going to speculate further without seeing some code.

PS. Is it a bad idea to marshal and unmarshal objects sent between the
navigator and the server ?

What do you have in mind?

fyi, this works for me:

$ cat ./test.rb
#!/usr/bin/ruby
require ‘win32ole’
p xd = WIN32OLE.new(‘Microsoft.XMLDOM’)
puts ‘'*40
p xd.ole_obj_help
puts '’*40
p xd.ole_methods
puts ‘'*40
p xd.load(‘C:\Program Files\tv\xmltv-0.5.24-win32\guide.xml’)
puts '’*40
p xd.readyState
puts ‘_’*40
puts xd.lastChild.lastChild.text.inspect

$ ruby -v
ruby 1.8.0 (2003-08-04) [i386-mswin32]

$ ./test.rb
#WIN32OLE:0x100f5470

IXMLDOMDocument2

[QueryInterface, AddRef, Release, GetTypeInfoCount, GetTypeInfo,
GetIDsOfNames, Invoke, nodeName, nodeValue, nodeValue, nodeType,
parentNode, childNodes, firstChild, lastChild, previousSibling,
nextSibling, attributes, insertBefore, replaceChild, removeChild,
appendChild, hasChildNodes, ownerDocument, cloneNode, nodeTypeString,
text, text, specified, definition, nodeTypedValue, nodeTypedValue,
dataType, dataType, xml, transformNode, selectNodes, selectSingleNode,
parsed, namespaceURI, prefix, baseName, transformNodeToObject,
doctype, implementation, documentElement, createElement,
createDocumentFragment, createTextNode, createComment,
createCDATASection, createProcessingInstruction, createAttribute,
createEntityReference, getElementsByTagName, createNode, nodeFromID,
load,
readyState, parseError, url, async, async, abort, loadXML, save,
validateOnParse, validateOnParse, resolveExternals, resolveExternals,
preserveWhiteSpace, preserveWhiteSpace, onreadystatechange,
ondataavailable, ontransformnode, namespaces, schemas, validate,
setProperty, getProperty, GetTypeInfoCount, GetTypeInfo, GetIDsOfNames,
Invoke]

true

4

“Outside the Lines Nightly Sports Info”

3

“Jerome Hauss” jhauss@gfi.fr wrote in message
news:174801c42de4$454d6530$032f10ac@WJHAUSS2

Sorry for the lack of information, and thank you for your test.

Sorry for being so curt, but had you not posted more information I
wouldn’t have guessed that you wanted to use your script inside of ie

  • I thought you merely wanted to use the parser tools bundled with it.
···
  • load : there’s the following error Erreur : load OLE
    rb_compile_error:80070005 in msxml3.dll Accès refusé

(translation : …access refused … an exception has occurred)

From the ASR website:
12 Jun. 2000, 03:05:32 JST
12 Jun. 2000, RScript Version 1.0.3.2
Now ActiveScriptRuby support Internet Explorer’s Security Option.
Ruby’s dangerous operations are now ristricted in IE.

Your code is perfect, as far as I can tell. Your difficulty is related
to the fact that you’re doing something ASR deems unsafe. For details
on what precisely deliniates safe vs. unsafe, I’ll have to refer you
to Artonx. Clearly, allowing load to work in client-side scripts would
allow malicious webpages trivial read-access to the client’s files.
Bypassing security will probably require modifying the engine, too - I
haven’t seen any documentation on security configuration. Again, you’ll
have to get with Arton.

-cheers

4

Ah! Yes indeed, it should not be possible to load a client’s file… I tried
putting my files on an HTTP server, but it is the same. I will try mailing
to Arton.

Don’t you think the behaviour of WIN32OLE is peculiar inside IE ?
(having apparently an IXMLDOMNode object when calling
WIN32OLE.new(“Microsoft.XMLDOM”)
inside IE, whereas one gets an IXMLDOMDocument2 object when calling from the
ruby interpreter under Windows)…

Greetings,
Jérôme HAUSS

Newsgroups: comp.lang.ruby

···

----- Original Message -----
From: “anon luker” hatespyware@yahoo.com
To: “ruby-talk ML” ruby-talk@ruby-lang.org
Sent: Thursday, April 29, 2004 11:59 PM
Subject: Re: ActiveScriptRuby and Internet Explorer : WIN32OLE ole_methods
limited?

“Jerome Hauss” jhauss@gfi.fr wrote in message
news:174801c42de4$454d6530$032f10ac@WJHAUSS2

Sorry for the lack of information, and thank you for your test.

Sorry for being so curt, but had you not posted more information I
wouldn’t have guessed that you wanted to use your script inside of ie

  • I thought you merely wanted to use the parser tools bundled with it.
  • load : there’s the following error Erreur : load OLE
    rb_compile_error:80070005 in msxml3.dll Accès refusé

(translation : …access refused … an exception has occurred)

From the ASR website:
12 Jun. 2000, 03:05:32 JST
12 Jun. 2000, RScript Version 1.0.3.2
Now ActiveScriptRuby support Internet Explorer’s Security Option.
Ruby’s dangerous operations are now ristricted in IE.

Your code is perfect, as far as I can tell. Your difficulty is related
to the fact that you’re doing something ASR deems unsafe. For details
on what precisely deliniates safe vs. unsafe, I’ll have to refer you
to Artonx. Clearly, allowing load to work in client-side scripts would
allow malicious webpages trivial read-access to the client’s files.
Bypassing security will probably require modifying the engine, too - I
haven’t seen any documentation on security configuration. Again, you’ll
have to get with Arton.

-cheers