Content Advisor Displays Warning for Script URL (329160)


The information in this article applies to:

  • Microsoft Internet Explorer 6 for Windows
  • Microsoft Internet Explorer 6 SP1 for Windows
  • Microsoft Internet Explorer 5.5 SP2 for Windows
  • Microsoft Internet Explorer 5.01 SP2 for Windows
  • Microsoft Internet Explorer (Programming) version 6.0
This article was previously published under Q329160

SYMPTOMS

After you restrict the sites that you may open in Microsoft Internet Explorer, the Content Advisor dialog box may appear if the HTML page contains embedded JavaScript links, even though the site is permitted and loads in a new window.

CAUSE

In Content Advisor, the user is given access to HTTP://microsoft.site.com and is given restricted access to everything else, and the site contains HREF links to scripting URLs.

WORKAROUND

To work around the behavior that is described in the "Symptoms" section of this article, use one of the following elements:
  • SPAN HTML element.
  • Button HTML element.

SPAN Element

  • In the SPAN element, set the onclick event of the SPAN element to behave like the href attribute of the ANCHOR HTML element.
  • You may make the SPAN element appear like the ANCHOR element. The <u> tag may be used to underline the text in the SPAN element. The cursor may be set to appear as a hand image when you position the cursor on the text in the SPAN element by using the cascading style sheet.
The following sample HTML code uses the SPAN element:
<HTML>
<HEAD>
<LINK href="Button.css" rel="stylesheet" type="text/css">
</HEAD>
<BODY>
<Form>
<SPAN class="Buttonspan" STYLE="color: blue" 
  onclick="javascript:window.open('http://www.tailspintoys.com')" >
  <u>click</u></SPAN>
</Form>
</BODY>
</HTML>
Note Replace http://www.tailspintoys.com with the URL of the site you want to visit.

Button HTML Element

In the Button HTML element, set the onclick event of the Button element to behave like the href attribute of the ANCHOR HTML element.

The following sample html code uses the Button element:
<HTML>
<HEAD>
</HEAD>
<BODY>
<Form>
<input type=button 
	onclick="javascript:window.open('http://www.tailspintoys.com')">
</Form>
</BODY>
</HTML>
Note Replace http://www.tailspintoys.com with the URL of the site you want to visit.

Note The Button element may not appear as the ANCHOR element.

MORE INFORMATION

Content Advisor uses the InternetCrackURL() public function to separate the URL into various components based on the URL breakdown and specifications. The following is the breakdown for the example "http://microsoft.site.com/" permitted site:

Internet Scheme = http
Internet Host = microsoft.site.com
Internet Path =

A scripting URL, such as "javascript:window.open('http://www.site.com')", equates to the following objects in the InternetCrackURL() public function:

Internet Scheme = javascript
Internet Host = window.open('http:
Internet Path = //www.site.com')

If the HREF contains a scripting URL, the HREF is processed as two separate requests. The first request executes the following JavaScript :
"javascript.window.open('http://www.site.com')"

The second request results from the execution of window.open('http://www.site.com').

The first request is executed with the JavaScript URL. The Content Advisor blocks the request because of the pattern match failure with the Internet Scheme, Internet Host, and Internet Path objects, and the user receives the dialog box. The second request executes without a prompt because the URL is "http://www.site.com", and this pattern matches the permitted server list of the Content Advisor.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

REFERENCES

For additional information about how to restrict the sites that you can open in Internet Explorer, click the following article number to view the article in the Microsoft Knowledge Base:

267930 How to Configure Internet Explorer 5.x to Block Access to All But Approved Internet Sites

Modification Type:MinorLast Reviewed:4/4/2005
Keywords:kbhtml kbButton kbScript kbfix kbIE600preSP2fix kbIE600sp2fix kbprb kbIE600sp1fix KB329160 kbAudDeveloper
©2004 Microsoft Corporation. All rights reserved.