Skip to main content

Bug Tracker

Side navigation

#6816 closed bug (fixed)

Opened July 22, 2010 03:29PM UTC

Closed July 25, 2010 05:10PM UTC

ActiveX issues with IE with restrictive security settings

Reported by: chris.fewtrell Owned by:
Priority: Milestone:
Component: unfiled Version: 1.3.2
Keywords: Cc:
Blocked by: Blocking:

1.3.2 issue that affects IE with restrictive security settings.

The line 3122 in the 1.3.2 codebase causes the following error dialog in IE6 "Your current security settings prohibit ActiveX controls on this page. As a result, this page may not display correctly".

In IE7 you get a similar message but in the "warning bar" at the top of the screen, which is far less intrusive.

The code in question is

div.innerHTML = ' <link/><table></table><a href="/a" style="color:red;float:left;opacity:.5;">a</a><select><option>text</option></select><object><param/></object>';

And the problematic issue (as far as I can see) is that we are creating an <object> element within the div's content. This is not allowed if IE has the security option "Run ActiveX controls and plug-ins" set to "Disable" or "Administrator approved". Also, a corporate customer has reported this issue even with this option set to "Enable" - but I have not been able to reproduce locally.

I have "fixed" the issue by simply removing the offending text "<object><param/></object>" and then knobbling the code on line 3142

objectAll: false,

(it used to read

objectAll: !!div.getElementsByTagName("object")[0].getElementsByTagName("*").length,


Does this seem like a sensible fix/patch?

Attachments (0)
Change History (1)

Changed July 25, 2010 05:10PM UTC by dmethvin comment:1

resolution: → fixed
status: newclosed

This was fixed in 1.4.