FIX: Security Patch (Q316059) Crashes Internet Explorer When You Call execScript (318426)



The information in this article applies to:

  • Microsoft Internet Explorer (Programming) 5.5 SP2
  • Microsoft Internet Explorer (Programming) 6.0

This article was previously published under Q318426

SYMPTOMS

When you call execScript within a parent frame from a child frame, Internet Explorer stops responding (crashes). This occurs after you apply the "February 11, 2002 Cumulative Patch for Internet Explorer", which is available in the following Microsoft Knowledge Base article:

316059 MS02-005: February 11, 2002, Cumulative Patch for Internet Explorer

RESOLUTION

To resolve this problem, obtain the latest service pack for Internet Explorer 6. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

328548 How to Obtain the Latest Internet Explorer 6 Service Pack

This problem no longer occurs in the "March 28, 2002, Cumulative Patch for Internet Explorer". For additional information about how to obtain this patch, click the article number below to view the article in the Microsoft Knowledge Base:

319182 MS02-015: March 28, 2002, Cumulative Patch for Internet Explorer

WORKAROUND

To work around this problem with the "February 11, 2002 Cumulative Patch for Internet Explorer", use one of the methods to follow.

NOTE: The following workarounds use the HTML files from the "More Information" section.

Change the Script to Call the Function Directly

In script, replace the following code
window.parent.execScript('test()');
				
with:
window.parent.test();
				

Change the Visual C++ Code to Call the Function Directly

In Microsoft Visual C++, replace the code to call execScript (which is implemented in CallExecScript) with the code to call the script method directly (which is implemented in CallDirect):
window.parent.test();void CCplusworkaroundCtrl::OnLButtonDown(UINT nFlags, CPoint point) 
{
	HRESULT hr = S_OK;

	IServiceProvider* pServiceProvider = NULL;
	hr = m_pClientSite->QueryInterface(IID_IServiceProvider, (void**)&pServiceProvider);
	ASSERT(SUCCEEDED(hr) && pServiceProvider);

	IWebBrowser2* pWebBrowser2 = NULL;
	hr = pServiceProvider->QueryService(SID_SWebBrowserApp, IID_IWebBrowser2, (void**)&pWebBrowser2);
	ASSERT(SUCCEEDED(hr) && pWebBrowser2);

	IDispatch* pDocDisp = NULL;
	hr = pWebBrowser2->get_Document(&pDocDisp);
	ASSERT(SUCCEEDED(hr) && pDocDisp);

	IHTMLDocument2* pDocument2 = NULL;
	hr = pDocDisp->QueryInterface(IID_IHTMLDocument2, (void**)&pDocument2);
	ASSERT(SUCCEEDED(hr) && pDocument2);

	IHTMLWindow2* pWindow2 = NULL;
	hr = pDocument2->get_parentWindow(&pWindow2);
	ASSERT(SUCCEEDED(hr) && pWindow2);

	IHTMLWindow2* pWindowTop = NULL;
	hr = pWindow2->get_top(&pWindowTop);
	ASSERT(SUCCEEDED(hr) && pWindowTop);

	CallDirect(pWindowTop);
	CallExecScript(pWindowTop);

	pWindowTop->Release();
	pWindow2->Release();
	pDocument2->Release();
	pDocDisp->Release();
	pWebBrowser2->Release();
	pServiceProvider->Release();
}

void CCplusworkaroundCtrl::CallExecScript(IHTMLWindow2* pWindow2)
{
	ASSERT(pWindow2);
	HRESULT hr = S_OK;

	BSTR bstrCode = ::SysAllocString(L"test()");
	BSTR bstrLanguage = ::SysAllocString(L"vbscript");

	COleVariant ret;
	hr = pWindow2->execScript(bstrCode, bstrLanguage, &ret);
	
	::SysFreeString(bstrLanguage);
	::SysFreeString(bstrCode);
}

void CCplusworkaroundCtrl::CallDirect(IHTMLWindow2* pWindow2)
{
	DISPID dispidScriptObject, dispidMethodToInvoke;
	IDispatch *pDispScriptObject;
	DISPPARAMS dispparamsNoArgs = { NULL, NULL, 0, 0};
	HRESULT hr;
	OLECHAR *szScript = L"script";
	OLECHAR *szFuncName = L"test";
	
	IHTMLDocument2* pDocument2 = NULL;
	hr = pWindow2->get_document(&pDocument2);
	ASSERT(SUCCEEDED(hr) && pDocument2);

	IDispatch* pDocDisp = NULL;

	hr = pDocument2->QueryInterface(IID_IDispatch, (void**)&pDocDisp);
	ASSERT(SUCCEEDED(hr) && pDocDisp);

	// Get the DISPID of the document's Script property.
	hr = pDocDisp->GetIDsOfNames(IID_NULL, &szScript,
		1, LOCALE_USER_DEFAULT, &dispidScriptObject);
	ASSERT(SUCCEEDED(hr));

	COleVariant varResult;
	
	// Get the document's Script property.
	hr = pDocDisp->Invoke(dispidScriptObject,
		IID_NULL, LOCALE_USER_DEFAULT, DISPATCH_PROPERTYGET,
		&dispparamsNoArgs, &varResult, NULL, NULL);
	ASSERT(SUCCEEDED(hr) && varResult.pdispVal);

	pDispScriptObject = varResult.pdispVal;

	varResult.Clear();	
	// Get the DISPID of the script method to invoke.
	hr = pDispScriptObject->GetIDsOfNames(IID_NULL, &szFuncName, 1, 
		LOCALE_USER_DEFAULT, &dispidMethodToInvoke);
	ASSERT(SUCCEEDED(hr));

	// Invoke the script method.
	hr = pDispScriptObject->Invoke(dispidMethodToInvoke, IID_NULL,
		LOCALE_USER_DEFAULT, DISPATCH_METHOD, &dispparamsNoArgs, 
		&varResult, NULL, NULL);
	ASSERT(SUCCEEDED(hr));

	pDocDisp->Release();
	pDocument2->Release();
}
				

Remove the "February 11, 2002 Cumulative Patch for Internet Explorer"

As a last resort, you can restore the previous version of Internet Explorer to return to the version that you had before you installed the security patch.

IMPORTANT: This workaround exposes you to the security problems that Q316059 fixes. Be sure to install the previous security patch, which is available from the following Microsoft Knowledge Base article:

313675 MS01-058: File Vulnerability Patch for Internet Explorer 5.5 and Internet Explorer 6

Do not use this workaround unless you are sure that it is absolutely necessary. This workaround provides only a temporary workaround. Remember to update Internet Explorer when the next security patch becomes available.
  1. In Control Panel, double-click Add/Remove Programs.
  2. Under Currently installed programs, click Microsoft Internet Explorer.
  3. In the left pane, click Change/Remove.
  4. Click Restore the previous Windows configuration, and then click OK.
  5. After you restore the previous version of Internet Explorer, reboot your computer.
  6. Browse to the following Microsoft Web site to download and to install the version of Internet Explorer that you want:
If you do not have a restore option for Internet Explorer (for example, if you are using Microsoft Windows XP), you must manually replace the Mshtml.dll and Mshtml.tlb files with the older versions of these files. The older versions of these files are located in Q313675 in safe mode. Although you can use the original Mshtml files from the Microsoft Windows XP CD, these files do not provide as much security.

For additional information how to uninstall Internet Explorer, click the article numbers below to view the articles in the Microsoft Knowledge Base:

293907 How to Uninstall Internet Explorer 6

257234 How to Uninstall Internet Explorer 5.5

STATUS

Microsoft has confirmed that this is a bug in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Internet Explorer 6 Service Pack 1.

MORE INFORMATION

Steps to Reproduce Behavior

  1. In Notepad, create a new file named Parent.html, and then paste the following code:
    <html>
    <title>Internet Explorer Crashes When You Call execScript Within a Parent Frame from a Child Frame</title>
        <head>
            <script>
                function test()
                {
                    alert("test");
                }
            </script>
        </head>
        <body>
             <iframe src="child.html"></iframe>
        </body>
    </html>
    					
  2. Save Parent.html on your Web server.
  3. Create a new file named Child.html, and then paste the following code:
    <html>
        <head>
             <script>
    			function Test()
    			{
    				window.parent.execScript('test()');
    //Comment the above line and uncomment the following line to work around the problem
    				//window.parent.test();
    			}
             </script>
        </head>
        <body>
    Click this button to run a script within the parent frame<br></br>
    <button onclick=Test()>Click</button>
        </body>
    </html>
    					
  4. Save Child.html on your Web server.
  5. Browse to the Parent.html page, and then click the button that should run the script.

Modification Type:MinorLast Reviewed:4/4/2005
Keywords:kbbug kbfix kbIE600sp1fix KB318426