Geek Answers Handbook

Open the website in the default browser, preventing them from launching anything else?

I would like to open the website in the user's default web browser, however, since the URL is user-defined, I would also like to prevent them from doing anything other than opening the website.

I saw people using Process.Start(url); to open the site in the default browser, but since the URL is user-defined, I want to make sure that they do not enter something like the location of the script and do not execute it.

I also do not want to use Process.Start("iexplore", url); , since I would rather open the link in the user's default browser.

Is there a way to open a website in my default browser without letting them run any other process or command?

EDIT

For example, I don’t want users to be able to type C:\Windows\Notepad.exe in the Client Website field and open Notepad when they click the Website link

EDIT No. 2

I am not looking for a way to filter user access on the Internet or replace it with security. I'm just looking for a way to prevent users from running any other application by entering a bad url. If they enter “google” for the Customer website, it should not open the Open With file dialog, but instead will launch a default user web browser with the word “google” in the URL

+6
c # desktop-application
source share
7 answers

You can see the default browser from the registry. This is in several different places, but I think that HKEY_CURRENT_USER\Software\Classes\http\shell\open\command would be a good place to search.

Extract the executable name from it, then Process.Start with the URL entered by the user as a parameter.

+6
source share

I found a way to do this, however I have not tested whether this will work on other operating systems

I get the Path for DefaultWebBrowser from the registry and then use Process.Start(defaultBrowserPath, url);

 public static void OpenWebsite(string url) { Process.Start(GetDefaultBrowserPath(), url); } private static string GetDefaultBrowserPath() { string key = @"http\shell\open\command"; RegistryKey registryKey = Registry.ClassesRoot.OpenSubKey(key, false); return ((string)registryKey.GetValue(null, null)).Split('"')[1]; }
+5
source share

Well, not quite. What you can do is check if it is an HTTP (s) URL and whether the URL returns a text/html content type - but even this will not help if the browser uses content sniffing (ignores the content type, tries to determine its from the contents of the file - IIRC IE6 does this, not sure what others are).

In addition, different browsers are susceptible to various security vulnerabilities in the wrong URLs (why does IE come to mind again?), So you can check things like zero hacks, EOL hacks, etc.

In the end, there is no perfect URL check - old / unverified browsers will always be susceptible to some exploits, and this is not exactly what you can fix. However, you can filter out most of them - be it 80%, 99% or 99.99%, depending on the amount of time you are willing to invest.

+3
source share

If I understand you correctly, then there is no solution to the problem that you are describing. You say: how can I filter user input (hopefully in Uri form, but even Uri is a very broad concept) to ensure that it is not malicious content. The answer is that without doing it manually, you cannot.

http://here.dowloadmyvirus.com is a perfectly valid Uri site, but you can never guarantee the content that will be served from there.

It may not even be Uri: if you press Start / Run and enter "iexplore c: \ windows \ notepad.exe", then (using RTM). I get my local notepad.exe running as a download. You have nothing to stop you from pointing to a malicious script hosted on the Internet.

I would advise you to either restrict access so that only a few trusted users can edit any data that you manage, or conduct a verification process to make sure that such content has been verified before its publication.

+2
source share

I developed a method that uses the fact that javascript works in the sandbox.

You have a web page (e.g. http: //mydomain/LaunchPage.html ) available for your desktop. Name it by placing the URL in the query string (so http: //mydomain/LaunchPage.html? URL = http: //www.google.com ).

All LaunchPage is using JavaScript to set document.location.

 <script> /* * Retrieve names values from the query string. * Based on an idea from * http://ilovethecode.com/Javascript/Javascript-Tutorials-How_To-Easy/Get_Query_String_Using_Javascript.shtml */ function queryString(key) { args = window.location.search.substring(1).split("&"); for (i = 0; i < args.length; i++) { keyValuePair = args[i].split("="); if (keyValuePair[0].toUpperCase() == key.toUpperCase()) { return keyValuePair[1]; } } return null; } document.Location = queryString("URL"); </script>

If the URL is set to a local file or something like that, then an isolated JavaScript sandbox will prevent its use.

Now you can use the following code in complete safety.

 Process.Start("http://mydomain/LaunchPage.html?URL=C:\Windows\Notepad.exe")

EDIT Please note that the HTML file can be installed next to the application. If you did this, the code to run would look something like this:

 Process.Start("c:\<InstallRoot>\LaunchPage.html?URL=C:\Windows\Notepad.exe")
+2
source share

I think you can check the url to confirm that it is a valid url and not the path to the executable.

You can use regular expressions to validate the URL, see here .

Good luck

+1
source share

It seems to me that you are worried about something that is not really a problem. If the user could run the program, and not the URL from your application, then they could just run the program on their own. This applies only to security issues if you accept input from an object other than a registered user.

+1
source share

More articles:


All Articles