PRB: UseSafeSubset Allows Non-safe Objects to Be Called (185461)


The information in this article applies to:

  • Microsoft Visual Basic Learning Edition for Windows 5.0
  • Microsoft Visual Basic Learning Edition for Windows 6.0
  • Microsoft Visual Basic Professional Edition for Windows 5.0
  • Microsoft Visual Basic Professional Edition for Windows 6.0
  • Microsoft Visual Basic Enterprise Edition for Windows 5.0
  • Microsoft Visual Basic Enterprise Edition for Windows 6.0
  • Microsoft Visual Basic Standard Edition, 32-bit, for Windows 4.0
  • Microsoft Visual Basic Professional Edition, 32-bit, for Windows 4.0
  • Microsoft Visual Basic Enterprise Edition, 32-bit, for Windows 4.0
  • Microsoft Visual Basic for Applications 5.0
This article was previously published under Q185461

SYMPTOMS

When using the Microsoft Script control with the UseSafeSubset property set to TRUE, script code is still able to instantiate objects that have not been marked safe for scripting.

CAUSE

The program is using version 1.0 of the Microsoft Script Control.

NOTE: An alternate cause, not addressed elsewhere in this article is that your VBA application is resetting the UseSafeSubset property to FALSE.

RESOLUTION

To correct this problem, upgrade to version 6.0 of the Microsoft Script Control. For additional information, please see the following article in the Microsoft Knowledge Base:

184739 INFO: Where to Obtain the Script Control

STATUS

Microsoft is researching this problem and will post new information here in the Microsoft Knowledge Base as it becomes available.

MORE INFORMATION

Microsoft provides programming examples for illustration only, without warranty either expressed or implied, including, but not limited to, the implied warranties of merchantability and/or fitness for a particular purpose. This article assumes that you are familiar with the programming language being demonstrated and the tools used to create and debug procedures.

Steps to Reproduce Behavior

  1. In Visual Basic create a new project and add the following component: 
          Microsoft Script Control 1.0
  2. Add the Script control (ScriptControl1), a text box (Text1), and a command button (Command1) to a form. In Visual Basic, set the MultiLine property of the text box to TRUE. For ease of use change the size of Text1 so that it will accommodate 5 lines of 60 characters.
  3. Add the following code: 
          Private Sub Command1_Click()
        On Error Resume Next
        With ScriptControl1
          .UseSafeSubset = True
          .Language = "VBScript"
          .AllowUI = True
          .AddCode Text1.Text
          .Run "Test"
        End With
      End Sub
  4. Run the form and open the Debug window.
  5. Type the following script into the text box. If you do not have Microsoft Excel, use a different server application. 
          Sub Test()
      Dim X
        Set X = CreateObject("Excel.Application")
        X.Visible = True     ' this line is Excel-specific
        MsgBox "Pausing for effect...."
        Set X = Nothing
      End Sub
  6. Click the command button. Microsoft Excel is displayed.
  7. Click OK on the message box and Excel will close.
  8. Install version 6.0 of the control and re-run. You will get a trappable error indicating that the object is not marked safe for scripting:
    Run-time error '429':
    ActiveX component can't create object 'createobject'
(c) Microsoft Corporation 1998, All Rights Reserved. Contributions by Malcolm Stewart, Microsoft Corporation
Modification Type:MajorLast Reviewed:6/30/2004
Keywords:kbprb kbScript KB185461
©2004 Microsoft Corporation. All rights reserved.