Execute application from HTML in a USB - javascript

I need this:
The user inserts a USB drive in his PC. Then, it autoruns a .html
page in user's default browser. In the HTML page there are two
buttons: if the user presses button 1, I need to copy files to local
disk and then run these. If the user presses button 2, I need to call
a file from local disk.
I know how can autorun a .html file from USB memory. But 1) how can I copy files from HTML to local disk, and 2) how can I run files from local disk using HTML? (in Chrome, Firefox and IE).
Thanks!

Purely from HTML you will not be able to execute commands on your computer.
In order to do that, you'd need to start a daemon on your computer that would answer HTTP requests from the browser and execute commands accordingly.
Or you'd need to have plugin for the browser that would do that, but I'm not sure whether plugins are able to escape the browser sandbox. Even if they could, the solution would be browser specific.

Related

It it possible to use javascript to save a file to specific directory?

Used Filesaver.js plugins to download a text file. By default file download in My download folder. Need to store the downloaded file in a specific folder.
It is not possible... fortunately! Imagine what would happen if JS which runs in your browser could change your filesystem. The security hole would be so big that everyone would (and definitely should) stop using the Internet. Imagine a situation where I've built a website which onload fires the code which save a file in your filesystem. The file lands in your cron.daily directory (suppose you use Linux). What is the file doing? - you may ask (if you knew that it's been even saved :smiling_imp:). Nothing special - just looking for some private data and when finished it deletes random files from /usr/bin, /proc, /sys and maybe /etc - just to see what happens.
Do you see the problem now? The code which runs in your browser before you can react to this cannot have such power to save anything in your filesystem. The only thing you can do to give the user a file is to use a module like Filesaver.js which, in fact, does not have access to user's file system at all. It just makes a GET request to the file directly and it's the browser which downloads the file (because that's how a browser works). So the only way you can change the location of the downloaded file is to change the browser settings. No other way I know of.
The answer is No,
changing a directory is not possible due to security reasons in the
File API.
https://github.com/eligrey/FileSaver.js/issues/42

how to execute a batch file from a website

I know this sounds fishy, but I'm trying to run a batch file from a website. Our users are seniors that wouldn't know how to do anything with a computer. Our software is a replacement for the windows shell. When the computer starts, it automatically starts our software and nothing else. Our users never see windows, only our application. It is written in C# and after presenting a login screen shows the user a full-screen web application.
We have a system where we update our application via a batch file it downloads by itself. However, the dialog window asking the user for an update is broken (minimized, so the user doesn't see it). Now our users can't update our application. We fixed this bug in the current version, but users can't get the new version.
Is there any way to run a batch file from a website? The batch file is already downloaded by our application, it just needs to run. It is located in c:/users/the_user/appdata/roaming/. If anyone has any idea how we could run the batch file remotely, that would be awesome.
I know it would be a huge security risk if something like this is possible, please don't point that out to me. It is also not their computer that runs the software, but one we provide for the purpose of the application. If a user does not want to use the app anymore, we take the computer back as well. There can not be any personal data saved on it, because there is simply no way for the user to get it on there.
Our update process goes like this: the C# app downloads a zip from our web-server if there is a new version -> the app asks the user if he/she wants to install that update -> if the user presses yes, the c# app closes and runs the batch file that copies the contents from the zip to the folder where our c# app resides -> at the end of the batch file is a system restart command, after restarting the tablet our app starts up and the user can continue using it.
No, it can't launch a batch file from a website.
A browser will just save it to the local drive or open it in the web page.

Is it possible for a remote html file to download a file to a client?

I'm an iOS dev looking into some security aspects of a native iPhone app that loads local html pages into a UIWebView (that's the iOS class that give browsers functionality to a native app).
If the app loads a local html file and that file contains a link to an external html file then is it possible for that external file to download a file to the client (another html file or a javascript file)? My knowledge of html/javascript isn't detailed enough in this area.
E.g. If A.html is file physically present on the phone and A.html contains a href to B.html where B.html is on a server then is it possible for B.html (using whatever means) to move a file (C.html or D.js etc.) from the server onto the device?
What you probably mean is : are HTML pages able to download (and potentially execute or overwrite) content/code on the device? I'm just going to assume that in the following.
First, the browser isn't supposed to be able to download anything without the user consent. That's especially true on iOS, where the browser actually can't download anything at all. (Well, you can actually download images by long-pressing on them, but they are only going to go to the Photo Roll. Any other download will just fail.)
HTML pages (and JavaScript, images, ...) are of course downloaded to the device before the browser or UIWebView displays them, but they can't access anything on the filesystem.
What's more, due to the same-origin policy, a web page cannot access anything that's outside of its domain (cross-origin requests allow this, but they require the server to send a particular header).
Say your page is on http://mywebsite.com : you can't make a request to http://blah.org if it's not setup properly, or even (much more dangerous) to file:///etc/passwd (which you have no way to setup properly).
I'm not sure about local pages, but (at least on Chrome on the desktop) local web pages cannot download anything at all.
Of course, all of these are the expected behavior.
There have been cases of vulnerabilities (this one for instance) where Safari allows unprivileged access to the filesystem, but in most cases they have been patched quickly by Apple and you won't have to (and are not supposed to if you want to avoid unnecessary headaches) worry about them.

Download multiple files from remote server with a single user confirmation

I have a web page containing a list of pictures urls (can be more then 1000 items) and I want to enable a button for the user to click and download all of the files to the local hard drive.
The download process should ask the user for a directory to save the files in and then go ahead and download all files to that directory (if possible, creating sub directories inside). This should be done with a single user confirmation for the whole download process and avoid display the browser save dialog for each file.
Is there a way doing that? I am aware I can't use the standard HTTP protocol for the downloads and have to write some kind of control to do the job. The page is written in asp.net.
Downloading to the server, packing and sending to the user is not possible. The download has to be originated from the client machine.
You should update your question to include the requirements from your comment, because they make a huge difference. If the server cannot retrieve the files, because he doesn't have the right permissions, your only option is to run the code on the client side. There are several options how to do this, mostly depending on the clients and your coding skill:
Flash (Not sure about the security aspect of writing to the local file system, though)
Java Webstart (Disadvantage: Clients need to have the Java runtime installed)
Browser plugin/extension (Disadvantage: You can only support a subset of browsers and the page will not be immediately usable, as the plugin or extension needs to be installed first)
In all cases, you will have to write a tool, that retrieves the URL list from your server and starts downloading it.

How do you get a spreadsheet to open Excel instead of a browser window?

If you call javascript window.open and pass a url to a .xls file it open on some machines in the browser window. How can you force it into Excel?
Only the users machine can "force" it into Excel. That said, 99% of the time if you send the correct mime-type and a user has Excel, then it will open in Excel assuming they approve.
And only the server can send the correct mime-type. The document type you pass to a JavaScript window.open call will have no effect on this. In fact, calling window.open will at best just open a superfluous window.
It's best to just link to the document with <a href="foo.xls">. And provided your server is sending a mime-type of application/x-excel or application/x-msexcel this will almost always nudge the browser into opening a new window with the Excel document.
If it's just a static file, and you're using Apache on Linux, check for a file called /etc/mime.types, and ensure that it has the following line in there to associate the .xls file extension with the correct MIME type:
application/vnd.ms-excel xls
I'm guessing the location of that file might vary across systems, but it's in /etc/mime.types on my server which is running RHEL4.
AFAIK you can't do this with JavaScript alone. If you have some sort of scripting language on the server's side you can alter the header to force a download.
Here's a simple tutorial in PHP, but you can easily find one in your favorite language.
You cannot force it into Excel. You can allow the browser to handle it whichever way it is configured to do so, or you can try to force it to download the file and let the user open if from their desktop. To force a download, search for "force download" and your server-side language (PHP, ASP.NET, JSP, etc.)
I don't think you can: you cannot call external programs using Javascript for security reasons. Assuming that the user has Excel installed, you may want to open the new window without the address bar to give the user "the illusion" that the file has been opened with Excel in Internet Explorer.
I wouldn't think this is possible from javascript due to security issues, there would be nothing stopping a rogue webpage from opening dozens of excel/word instances.
Could you not set a hyperlink to the url of the .xls, that way the user would get the usual download prompt to view the file.
Set the http content type to the Excel datatype: application/vnd.ms-excel
You shouldn't need to redirect to a new window, but you will get a popup asking the user to save or open the file.
In relation to (2): I'd worry if a browser could launch an external application and load data into it automatically without user intervention.
This is a setting in each user's browser and not in something that can be set by code. So unfortunately you do not have control of that.
You can not, as it depends on the client machine.
For example on Windows if you want it to always open it with Excel, not in the browser window, you have to open My Computer, Tools, Folder Options, File Types, select the XLS type, and click on Advanced. There are two checkboxes: Browse in same window and Open web documents in place. Uncheck both, close browser window, open it again and try again.
However as I said: it depends on the client, you can not force it.
You can do this using LaunchinIE, an ActiveX Control that will enable HTML pages to start whatever application on the client's machine, without security warnings.
Quote from the site: "At last, web pages can start Word, Excel, or any other corporate application without complaints. Securely."
For this you do have to install the control on the user machine and also add the URL that is allowed to execute local applications to the Windows registry.
Another quote from the site: "To ensure security, LaunchinIE needs to be carefully configured client-side; due to this restriction it's only fit for intranet use."
I use LaunchinIE in our training facility so I can use Internet Explorer as a menu which lets the user choose the machine setup. LaunchinIE then calls a batch script that configures the machine to best support the selected training.
Here are the steps to get this pop-up back when opening a saved Excel file.
Right-Click on the windows [START] button and select Explore to open Windows Explorer window will open.
From the menu select Tools \ Folder Options…
• Choose the File Types tab and scroll down the list of files.
• Left-Click to highlight the XLS Microsoft Excel Worksheet file extension and click on the Advanced button.
In the Edit File Type window, Uncheck the “Browse in same window” option.
Click OK button to accept your changes.
Start a new browser session. The next time you open your Excel spreadsheet in your Inbox, you should be prompted with the following window. Be sure to leave the “Always ask before opening this type of file” as checked. Clicking the Open button should now open your file in Excel.

Categories