Microsoft KB Archive/329160

= Content Advisor displays warning for script URL =

Article ID: 329160

Article Last Modified on 11/29/2007

-

APPLIES TO


 * Microsoft Internet Explorer 6.0
 * Microsoft Internet Explorer 5.5 Service Pack 2
 * Microsoft Internet Explorer 5.01 Service Pack 2

-



This article was previously published under Q329160



SYMPTOMS
After you restrict the sites that you may open in Microsoft Internet Explorer, the Content Advisor dialog box may appear if the HTML page contains embedded JavaScript links, even though the site is permitted and loads in a new window.



CAUSE
In Content Advisor, the user is given access to HTTP://microsoft.site.com and is given restricted access to everything else, and the site contains HREF links to scripting URLs.



WORKAROUND
To work around the behavior that is described in the &quot;Symptoms&quot; section of this article, use one of the following elements:
 * SPAN HTML element.
 * Button HTML element.

SPAN Element

 * In the SPAN element, set the onclick event of the SPAN element to behave like the href attribute of the ANCHOR HTML element.
 * You may make the SPAN element appear like the ANCHOR element. The tag may be used to underline the text in the SPAN element. The cursor may be set to appear as a hand image when you position the cursor on the text in the SPAN element by using the cascading style sheet.

The following sample HTML code uses the SPAN element:        click     Note Replace  with the URL of the site you want to visit.

Button HTML Element
In the Button HTML element, set the onclick event of the Button element to behave like the href attribute of the ANCHOR HTML element.

The following sample html code uses the Button element:   </HEAD>   <input type=button onclick=&quot;javascript:window.open('http://www.tailspintoys.com')&quot;> </Form> </BODY> </HTML> Note Replace  with the URL of the site you want to visit.

Note The Button element may not appear as the ANCHOR element.

<div class="moreinformation_section">

MORE INFORMATION
Content Advisor uses the InternetCrackURL public function to separate the URL into various components based on the URL breakdown and specifications. The following is the breakdown for the example &quot;http:// /&quot; permitted site:

Internet Scheme = http

Internet Host =

Internet Path =

A scripting URL, such as &quot;javascript:window.open('http://www. .com')&quot;, equates to the following objects in the InternetCrackURL public function:

Internet Scheme = javascript

Internet Host = window.open('http:

Internet Path = //www. .com')

If the HREF contains a scripting URL, the HREF is processed as two separate requests. The first request executes the following JavaScript :

&quot;javascript.window.open('http://www.site.com')&quot;

The second request results from the execution of window.open('http://www. .com').

The first request is executed with the JavaScript URL. The Content Advisor blocks the request because of the pattern match failure with the Internet Scheme, Internet Host, and Internet Path objects, and the user receives the dialog box. The second request executes without a prompt because the URL is &quot;http://www. .com&quot;, and this pattern matches the permitted server list of the Content Advisor.

<div class="status_section">

STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

Keywords: kbhtml kbbutton kbscript kbfix kbie600presp2fix kbie600sp2fix kbprb kbie600sp1fix KB329160

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.