[Javascript] Call an external program?
Nick Fitzsimons
nick at nickfitz.co.uk
Thu Apr 27 10:30:34 CDT 2006
Miles Thompson wrote:
> I've looked through my JS book, and Googled, but I cannot find anything
> like PHP's exec() command in JavaScript.
>
PHP runs on a server (when involved in webapps) and if the server
administrator allows malicious code to be put on there that wipes out
the machine, that's their responsibility. JS is served to a client
machine, and it's not practical to expect users to inspect your JS code
before visiting your site to make sure it does nothing nasty. Therefore,
to prevent malicious attacks on client machines, JavaScript code runs
under tight security restrictions. Among these is that JS can't call
local applications, for the simple reason that I could then use
something like:
<script type="text/javascript">
exec("format c:");
</script>
and wipe out the system drive of every Windows user who visits my site.
> What I want to do is this:
>
> When the operator leaves the "pay_method" combo box, if it has been
> changed to either "VISA" or "M-C", trigger a call to a credit card
> maintenance program (CC_app) that runs on the local desktop. This
> program does NOT run in a browser.
>
> I sort of think it could be done with a Java applet, and the applet
> could watch the combo box for the change and make the call, but I'm not
> sure. Then we would end up downloading the applet on every page refresh.
>
If you find a way to do it from a Java applet then I suggest you report
it to Sun Microsystems as a major security vulnerability. Applets are
sandboxed in a similar way to JS, and for exactly the same reasons as
above. In particular, although the Java platform includes the
java.lang.Runtime singleton which has an exec() method, this is not
accessible from an applet - calling it would throw a SecurityException,
IIRC.
> Opinions? Suggestions?
>
A possible approach would be to have your desktop app register itself as
the handler for documents of some made-up MIME type, and use JS to
download a file of that type. This would trigger the usual download
dialog with the "Open using CC_app", "Save to disk" and "Cancel"
options. As any sensible user would cancel it on the grounds that
selecting an option shouldn't trigger a file download of unknown type,
this probably wouldn't get you very far.
If you only care about IE users, you could look into writing a BHO
(search the MSDN library for "browser helper object"), but again, any
sensible user would have that caught by their anti-spyware app and
probably refuse permission to install it, or remove it when it was
flagged. (I'm tempted to add that of course, sensible users wouldn't be
running IE in the first place, but there's no point starting a holy war
at this time ;-)
> What I am suggesting now is to keep the CC_app open and use an alert()
> to remind the user who can then Alt+Tab to it.
That's probably all you can do. Bear in mind that the majority of normal
computer users don't even know the Alt-Tab combination, or any other
keyboard shortcuts for that matter, so you might want to give them a
more detailed explanation of what to do. I've seldom come across an
ordinary office worker (i.e. non-IT person) who even knows that they can
use Ctrl-C instead of going to the Edit menu and selecting Copy.
>
> Tks in advance - Miles Thompson
>
>
HTH,
Nick.
--
Nick Fitzsimons
http://www.nickfitz.co.uk/
More information about the Javascript
mailing list