[Javascript] Call an external program?

Nick Fitzsimons nick at nickfitz.co.uk
Thu Apr 27 10:30:34 CDT 2006 

Miles Thompson wrote:
> I've looked through my JS book, and Googled, but I cannot find anything 
> like PHP's exec() command in JavaScript.
> 

PHP runs on a server (when involved in webapps) and if the server 
administrator allows malicious code to be put on there that wipes out 
the machine, that's their responsibility. JS is served to a client 
machine, and it's not practical to expect users to inspect your JS code 
before visiting your site to make sure it does nothing nasty. Therefore, 
to prevent malicious attacks on client machines, JavaScript code runs 
under tight security restrictions. Among these is that JS can't call 
local applications, for the simple reason that I could then use 
something like:

<script type="text/javascript">
    exec("format c:");
</script>

and wipe out the system drive of every Windows user who visits my site.

> What I want to do is this:   
> 
>     When the operator leaves the "pay_method" combo box, if it has been 
> changed to either "VISA" or "M-C", trigger a call to a credit card 
> maintenance program (CC_app) that runs on the local desktop. This 
> program does NOT run in a browser.
> 
> I sort of think it could be done with a Java applet, and the applet 
> could watch the combo box for the change and make the call, but I'm not 
> sure. Then we would end up downloading the applet on every page refresh.
> 

If you find a way to do it from a Java applet then I suggest you report 
it to Sun Microsystems as a major security vulnerability. Applets are 
sandboxed in a similar way to JS, and for exactly the same reasons as 
above. In particular, although the Java platform includes the 
java.lang.Runtime singleton which has an exec() method, this is not 
accessible from an applet - calling it would throw a SecurityException, 
IIRC.

> Opinions? Suggestions?
> 

A possible approach would be to have your desktop app register itself as 
the handler for documents of some made-up MIME type, and use JS to 
download a file of that type. This would trigger the usual download 
dialog with the "Open using CC_app", "Save to disk" and "Cancel" 
options. As any sensible user would cancel it on the grounds that 
selecting an option shouldn't trigger a file download of unknown type, 
this probably wouldn't get you very far.

If you only care about IE users, you could look into writing a BHO 
(search the MSDN library for "browser helper object"), but again, any 
sensible user would have that caught by their anti-spyware app and 
probably refuse permission to install it, or remove it when it was 
flagged. (I'm tempted to add that of course, sensible users wouldn't be 
running IE in the first place, but there's no point starting a holy war 
at this time ;-)

> What I am suggesting now is to keep the CC_app open and use an alert() 
> to remind the user who can then Alt+Tab to it.

That's probably all you can do. Bear in mind that the majority of normal 
computer users don't even know the Alt-Tab combination, or any other 
keyboard shortcuts for that matter, so you might want to give them a 
more detailed explanation of what to do. I've seldom come across an 
ordinary office worker (i.e. non-IT person) who even knows that they can 
use Ctrl-C instead of going to the Edit menu and selecting Copy.

> 
> Tks in advance - Miles Thompson
> 
> 

HTH,

Nick.
-- 
Nick Fitzsimons
http://www.nickfitz.co.uk/

More information about the Javascript mailing list