On February 28, 2006, Microsoft released security advisory 912945 regarding non-security update 912945 to Microsoft Internet Explorer 6 for Microsoft Windows XP Service Pack 2 (SP2) and for Microsoft Windows Server 2003 Service Pack 1 (SP1). This update changes the way in which Internet Explorer handles some Web pages that use ActiveX controls. According to Microsoft, the security update is now being tested to ensure quality and application compatibility and is on schedule to be released as part of the April security updates on April 11, 2006 , or sooner as warranted.
Depending on your use of the CleverPath Forest & Trees Runtime ActiveX control, these changes to Internet Explorer may affect what your users see when they view your applications in a browser. This document describes the changes, what uses of the CleverPath Forest & Trees Runtime ActiveX control may be affected, and what you can do to maintain the current functionality and continue to provide a seamless experience for your users.
For additional information and future announcements regarding changes to Internet Expl orer, check the Microsoft Developer Network (MSDN) at http://msdn.microsoft.com/ieupdate.
What Is Changing?
The changes to Internet Explorer described in this document will have no effect on users and de velopers until they install the non-security update 912945 or the next scheduled cumulative security update from Microsoft which implements these changes is applied.
These changes will affect the way the browser handles active content (ActiveX controls and Java applets) on web pages. Any active content coded with <object>, <embed>, or <applet> tags that are inline in an HTML file, that is coded directly in the HTML file itself, will initially be inactive when loaded. When a control is inactive, it does not respond to user input including keyboard, mouse, or other pointing device. To activate an interactive control, a user must simply click on the control or use the TAB key to select the control and press Enter or Spacebar.
It is important to note th at the functionality of the control is not limited or affected in any way. The browser simply loads the control in an inactive state. While inactive, the CleverPath Forest & Trees Runtime ActiveX Control still performs operations that do not involve interaction -for example, view file open processing. Once the control is activated, it will function exactly as it did in previous versions of Internet Explorer.
If My Users Are Affected, What Will They See?
By default, the user interface of each affected ActiveX control object on a web page is blocked until the control is activated by the user. If multiple affected instances of the Runtime ActiveX Control are displayed on a page, each instance must be activated individually. When a view file is loaded in an inactive Runtime ActiveX Control, any view file open processing will be executed as always. Any messages or dialogs displayed by the CleverPath Forest & Trees application, including modal dialog groups, will be accessible to the user. Only the main CleverPath Forest & Trees Runtime application workspace embedded in the HTML page will be inaccessible.
While the Runtime ActiveX Control is inactive, your users will see a normal CleverPath Forest & Trees main application workspace. When the cursor is moved over the application workspace or the TAB key is pressed until the Runtime ActiveX Control is selected, a box is drawn around the Runtime ActiveX Control, and one of two tooltips will be displayed (Figure 1 and Figure 2).
Figure 1: Mouse over inactive control
Figure 2: Keyboard-selected inactive control
Not ALL Uses of the Runtime ActiveX Control Are Affected
The following uses of the Runtime ActiveX Control are not affected.
- Sites that load a view file di rectly in a browser without using a web page will be unaffected. This includes:
- Typing the path and file name of a view file into the browser's Address bar
- A link on a web page that refers to the path and file name of a view file
- Displaying a view file sto red in a CleverPath Portal without using the CleverPath Forest & Trees Portal content handler or another HTML file to reference the stored view file
- Sites that already use script in an external file to create the object or embed tag that loads the control will continue to function as they do now.
What Steps Can I Take to Avoid the Change in Behavior?
You can make some simple modifications to your web pages now that are compatible with existing versions of Internet Explorer and will give your users the same experience in both the current and future version of the browser. Those modifications are described in this document.
To create Web pages that load interactive controls that respond immediately to user input, you must use script to load those co ntr ols from external script files. You cannot write script elements inline with the main HTML page to load your control. If the script is written inline programmatically, the loaded control will behave as if it was loaded by the HTML document itself and wi ll require activation. To ensure a control is interactive when it is loaded, the script must be loaded from an external script file. The techniques described in this document do just that.
In order to execute script on an HTML page, Active Scripting must be enable d in Internet Explorer on the client computer. For information regarding c onfiguring Microsoft Internet Explorer security settings, see the Help topic titled "Configuring Web Browser Security for the Runtime ActiveX Control" in the CleverPath Forest & Trees Developer help file. In addition to the ActiveX controls and plug-ins security settings listed in this help topic, you must have Active scripting under the Scripting section set to Prompt or Enable.
Code That Needs to be Replaced
Any web page (i.e. Portal Content Handler capftwch.htm) that contains an <object> or <embed> tag coded directly in the HTML source will cause the control to be loaded in an inactive state. The following examples of HTML code will need to be replaced with code that calls script in an external script file to write the elements into the original page.
<param name="viewfile" value="http://mywebserver/myApp.ftv" />
<param name="src" value="http://mywebserver/myApp.ftv" />
<embed type="application/x-ftv" src="http://mywebserver/myApp.ftv"/>
<embed type="application/x-ftv" viewfile="http://mywebserver/myApp.ftv"/>
Solution 1: Users using the Portal content handler or some other content handler that delivers the embedded applications
For sites which use the CleverPath Forest & Trees Portal Content Handler, this solution includes a function which accepts arguments to construct the proper markup. This solution also provides some advantages if your site has a lot of embedded CleverPath Forest & Trees applications. Rather than create a separate external JS file for each affected web page, you make available on your web site a single external JS file that contains functions for creating the necessary tags based on parameters passed from the main web page.
Click here to download the JS file as well as capftwch.htm and RuntimeTemplate.htm files which can replace the HTML files provided on the CleverPath Forest & Trees installation media.
There are three steps you need to follow to implement this solution:
- Replace each instance of <object> and <embed> tags in your pages with the appropriate function calls.
FT_WriteObj( "safe"|"unrestricted", "viewfileURL" [, "attributeName1","attributeValue1", "attributeName2","attributeValue2", ... "attributeNameN","attributeValueN"] );
To replace the object and embed tags with calls to this function, pass the "safe"|"unrestricted" selector and the view file path and filename as parameters 1 and 2, and pass any additional attributes as pairs of a rguments. The function automatically inserts the correct classid, the view file, and the default values for id, width, height, codebase, and pluginspage if they are not specified in the parameter list. You do not need to supply the optional attribute name value pairs unless you require different values for a specific instance of a view file on a page. Note: For CleverPath Forest & Trees Runtime Option version 7.0 users, the first parameter must be "unrestricted" since safe mode was not available until version 7.1.
Web developers typically specify the same values in object and embed tags for all attributes and parameters; however, it is sometimes useful to have different values, so a page is displayed differently from one browser to another. To specify an attribute that will only be added to the <object> element, prefix the attribute name with o#. To specify an attribute that will only be added to the <embed> element, prefix the attribute name with e#.
For example, to replace the following object and embed tags:
<object id="FTW" classid="clsid:2863DDE9-3BFD-41CE-B98E-F8497089B01C"
codebase=" http://mywebserver/ftwrt710.exe #version=7,1,23"
<param name="viewfile" value="[path]/myviewfile.ftv" />
<embed type="application/x-ftv" viewfile="[path]/myviewfile.ftv"
You would insert the following function call in its place:
FT_WriteObj('safe', ' [path]/myviewfile.ftv' );
Using the CleverPath Forest & Trees Content Handler
When using the CleverPath Forest & Trees content handler in a CleverPath Portal environment, CleverPath Forest & Trees view files are handled by the capftwch.htm web page template file. In order to prevent the CleverPath Forest & Trees Runtime ActiveX Control from being loaded in an inactive state on Portal pages, you must update the capftwch.htm file using the method described in solution 1.
Solution 2: Users that are delivering individual embedded applications outside of a content handler. (i.e. through an html page)
The steps to do this are:
- Create and place the external JS file on your site. In this example, call it ftwapp.js. This script needs to write the full object/embed tag that was previously in your HTML file. For example:
//F&T 7.1 or later users, make sure you are specifying the desired
//clsid here (safe mode or unrestricted mode)
document.write('<object id="FTW" classid="clsid:5FADE212-B755-11D1-BA39-00C04FD60C4B" ...>\n');
document.write('<param name="viewfile" value="[path]/myviewfile.ftv" />\n');
document.write('<embed name="FTW" type="application/x-ftv"
- Replace each <object> or <embed> tag with a call to the appropriate external functions as follows:
This html code:
<object name="FTW" classid="clsid:2863DDE9-3BFD-41CE-B98E-F8497089B01C">
<param name="ViewFile" value="http://mywebserver/myViewFile.ftv" />
<embed name="FTW" type="application/x-ftv"
could be replaced by:
where [path]/ftwapp.js contains the InsertMyViewFile() function which write the object/embed tag.
<!-For unrestricted mode specify "clsid:5FADE212-B755-11D1-BA39-00C04FD60C4B"-->
<object classid="clsid:2863DDE9-3BFD-41CE-B98E-F8497089B01C" id="FTW"
<param name="viewfile" value="http://mywebserver/myviewfile.ftv" />
<embed src="http://mywebserver/myviewfile.ftv" type="application/x-ftv"
We take pride in our technical documents and are interested in your feedback. Please email your comments to us directly at: firstname.lastname@example.org