HTML Application: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 18:58, 11 May 2013 edit Hmrox (talk \| contribs) Pending changes reviewers, Rollbackers 9,807 edits m Reverted edits by 108.193.233.213 (talk) unexplained removal of content (HG) ← Previous edit		Latest revision as of 20:50, 26 August 2025 edit undo Okterakt (talk \| contribs) Extended confirmed users 606 edits Patent citation Tag: Visual edit
(114 intermediate revisions by 83 users not shown)
Line 1: {{Short description\|Microsoft Windows program}} ~~:''~~{{This ~~article refers to~~ \|Microsoft's proprietary HTA implementation~~. For~~ \|information regarding the HTML5 Cache Manifest, also referred to as offline HTML applications~~, please see [[~~\|Cache manifest in HTML5~~]].''~~}} : {{ Infobox file format \| name = HTML Application (HTA) \| icon = Line 7 ⟶ 8: \| screenshot = \| caption = \| extension = ~~<tt>~~{{mono\|.hta~~</tt>~~}} \| mime = application/hta \| typecode = \| uniform type = \| magic = ~~<code>~~{{mono\|%hta~~</code>~~}} \| owner = [[Microsoft]] \| released = <!-- {{Start date\|YYYY\|mm\|dd\|df=yes}} --> Line 23 ⟶ 24: \| standard = \| free = \| url = ~~http~~{{URL\|1=https://~~msdn~~learn.microsoft.com/en-us/~~library~~previous-versions/ms536471(VSv=vs.85)~~.aspx~~?redirectedfrom=MSDN}} }} An '''HTML Application''' ('''HTA''') is a [[Microsoft Windows]] program whose source code consists of [[HTML]], [[Dynamic HTML]], and one or more scripting languages supported by [[Internet Explorer]], such as [[VBScript]] or [[JScript]]. The HTML is used to generate the user interface, and the scripting language is used for the program logic. An HTA executes without the constraints of the ~~internet~~web browser security model; in fact, it executes as a "fully trusted" application. The usual file extension of an HTA is <code>.hta</code>. The ability to execute HTAs was introduced to Microsoft Windows in 1999, along with the release of [[Microsoft Internet Explorer 5]].<ref>[http://support.microsoft.com/kb/200874 ''Article ID:200874 in Microsoft Support''], in Microsoft Support Knowledge Base</ref> On December 9, 2003, this technology was [[patent]]ed.<ref>~~[http~~{{Cite patent\|number=US6662341B1\|title=Method and apparatus for writing a windows application in HTML\|gdate=2003-12-09\|invent1=Cooper\|invent2=Kohnfelder\|invent3=Chavez\|inventor1-first=Phillip R.\|inventor2-first=Loren M.\|inventor3-first=Roderick A.\|url=https://~~news~~patents.~~cnet~~google.com/~~2100~~patent/US6662341B1/en?oq=PN/6,662,341}}</ref><ref>{{Cite web \|last=Festa \|first=Paul \|date=2003-~~1012_3~~12-~~5119072.html~~10 \|title=Microsoft wins HTML application patent \|url=http://www.cnet.com/news/microsoft-wins-html-application-patent/ \|url-status=dead \|archive-url=https://web.archive.org/web/20160310170211/http://www.cnet.com/news/microsoft-wins-html-application-patent/ \|archive-date=2016-03-10 \|access-date=2016-01-10 \|website=[[CNET]]}}</ref> == Uses == HTAs give the developer the features of HTML together with the advantages of scripting languages. They are popular with Microsoft system administrators who use them for system administration tasks, such as user-forms and pre-written network queries, since, for example, VBScript and JScript can access the [[Windows Task Manager]]. In general, HTA's are said to be suitable for many purposes, from prototypes to "full-scale" applications, especially where flexibility and speed of development are critical.<ref~~>[http://msdn.microsoft.com/en-us/library/ms536496(v~~ name=~~vs.85).aspx ''Introduction to HTML Applications (HTAs)''], in MSDN Library<~~msintro/~~ref~~> ~~== Disadvantages ==~~ Beside the advantage of programming applications in Internet environment [[programming languages]], which can usually be easier, due to the use of [[markup languages]] to build a [[User interface\|UI]] (like [[XAML]], which was later presented by Microsoft as a part of [[Windows Presentation Foundation\|WPF]]), there are a few disadvantages of the current standard of HTA: * Only the main page of the project has the [[Filename extension\|extension]] HTA, which means that only it can be modified with the properties of a GUI form. * Opening new windows can be done only by [[JavaScript]] (and it might open it using the web browser). Linking to another page will open it in the same window. * The engine of HTA files (mshta.exe) is completely dependent on [[Internet Explorer]]. In [[Windows Vista]], for the first time, the user can [[Removal of Internet Explorer\|remove Internet Explorer]] from Windows, which will cause a serious bug for the engine of HTA files. * Using [[server-side]] scripting languages isn't a built-in option, and can only be done by running a local server at the moment the HTA file is opened. * HTA files can't be compiled. The only solution that was found for that is to compress all of the files of the project to an [[Self-extracting archive\|SFX]] package. Another disadvantage of compiling an HTA is the fact that files inside the project can't be modified (modifying files usually can be done by [[server-side]] scripting languages, although the HTA engine has a permission to write files). ==Environment== ===Execution=== [[File:RectifiedWikipediaHTAWindow.png\|alt=\|thumb\|346x346px\|One screenshot of one example window that is produced by <code>mshta.exe</code>]] An HTA is executed using the program <code>mshta.exe</code>, or, alternatively, double-clicking on the file. This program is typically installed ~~when~~along with Internet Explorer ~~is installed~~. <code>mshta.exe</code> executes the HTA by instantiating the Internet Explorer rendering engine (mshtml) as well as any required language engines (such as vbscript.dll). An HTA is treated like any executable file with extension [[EXE\|<code>.exe</code>]]. When executed via mshta.exe (or if the file icon is double-clicked), it runs immediately. When executed remotely via the browser, the user is asked once, before the HTA is downloaded, whether or not to save or run the application; if saved, it can simply be run on demand after that.<ref~~>[http://msdn.microsoft.com/en-us/library/ms536496(v~~ name=~~vs.85).aspx ''Why Use HTAs''], in MSDN Library, Introduction to HTML Applications<~~msintro/~~ref~~>▼ By default, HTAs are rendered as per "standards-mode content in IE7 Standards mode and quirks mode content in IE5 (Quirks) mode", but this can be altered using <code>X-UA-Compatible</code> headers.<ref name=msintro>~~[http~~{{cite web \|url=https://msdn.microsoft.com/en-us/library/ms536496%28v=vs.85%29.aspx#Compatibility] \|title=Introduction to HTML Applications (HTAs).\|website=Microsoft MSDN\|date=May 2011 \|access-date= 24 June 2016}} Sections include Why Use HTAs, Creating an HTA, HTA-Specific Functionality, Security, Compatibility, Deployment</ref>▼ HTAs are dependent on the Trident (MSHTML) browser engine, used by [[Internet Explorer]], but are not dependent on the Internet Explorer application itself. If a user [[Removal of Internet Explorer\|removes Internet Explorer]] from Windows, via the Control Panel, the MSHTML engine remains and HTAs continue to work. HTAs continue to work in Windows 11 as well. ▲An HTA is treated like any executable file with extension [[EXE\|<code>.exe</code>]]. When executed via mshta.exe (or the file icon is double-clicked), it runs immediately. When executed via the browser, the user is asked once, before the HTA is downloaded, whether or not to save or run the application; if saved, it can simply be run on demand after that.<ref>[http://msdn.microsoft.com/en-us/library/ms536496(v=vs.85).aspx ''Why Use HTAs''], in MSDN Library, Introduction to HTML Applications</ref> HTAs are fully supported running in modes equivalent to Internet Explorer versions 5 to 9. Further versions, such as 10 and 11, still support HTAs though with some minor features turned off.{{fact\|date=May 2015}} ▲By default, HTAs are rendered as per "standards-mode content in IE7 Standards mode and quirks mode content in IE5 (Quirks) mode", but this can be altered using <code>X-UA-Compatible</code> headers.<ref>[http://msdn.microsoft.com/en-us/library/ms536496%28v=vs.85%29.aspx#Compatibility] Introduction to HTML Applications (HTAs) - Compatibility</ref> ===Security considerations=== {{main\|Browser security}} When a regular HTML file is executed, the execution is confined to the security model of the [[web browser]],. ~~that~~This ~~is,~~means it is confined to communicating with the server, manipulating the page's [[object model]] (usually to validate forms and/or create interesting visual effects) and reading or writing [[HTTP cookie\|cookies]]. On the other hand, an HTA runs as a fully trusted application and therefore has more privileges than a normal HTML file; for example, an HTA can create, edit and remove files and [[Windows Registry\|registry]] entries. Although HTAs run in this 'trusted' environment, querying [[Active Directory]] can be subject to Internet Explorer Zone logic and associated error messages. ==~~Functionality~~Development== To customize the appearance of an HTA, aan ~~new (~~optional) tag <code>hta:application</code> was introduced to the <code>HEAD</code> section. This tag exposes a set of attributes that enable control of border style, the program icon, etc., and provide information such as the argument (~~commandline~~command line) used to launch the HTA.<ref>[~~http~~https://msdn.microsoft.com/en-us/library/aa360681(v=VS.85).aspx ''HTA:APPLICATION Object''], in MSDN Library, the complete specification of the tag <code>hta:application</code></ref> Otherwise, an HTA has the same format as an HTML page. ~~Otherwise, an HTA has the same format as an HTML page.~~ ~~==Development tools==~~ Any text editor can be used to create an HTA. Editors with special features for developing HTML applications may be obtained from Microsoft<ref>[http://www.microsoft.com/downloads/details.aspx?FamilyId=231D8143-F21B-4707-B583-AE7B9152E6D9&displaylang=en ''HTA Helpomatic'']</ref> or from third-party sources.<ref>[http://www.htaedit.com/ ''HTAEdit, an editor for HTAs with a built-in debugger'']</ref> An existing HTML file (with file extension <code>.htm</code> or <code>.html</code>, for example) can be changed to an HTA by simply changing the extension to <code>.hta</code>. ==Vulnerabilities== HTA have been used to deliver malware.<ref>{{Cite web\|url=https://www.vmray.com/cyber-security-blog/spora-ransomware-dropper-hta-infect-system/\|title=Spora Ransomware Dropper Uses HTA to Infect System\|date=2017-01-17\|website=VMRay\|language=en-US\|access-date=2018-12-22}}</ref><ref>{{Cite web\|url=https://blog.netwrix.com/2017/06/01/nine-scariest-ransomware-viruses/\|title=8 Scariest Ransomware Viruses\|language=en-US\|access-date=2018-12-22}}</ref> One particular HTA, named ''[[4chan]].hta'' (detected by antiviruses as JS/Chafpin.gen), was widely distributed by the users of the imageboard as a [[steganographic]] image in which the user were instructed to download the picture as an HTA file, which when executed, would cause the computer to automatically spam the website (evading 4chan's [[CAPTCHA]] in the process) with alternate variants of itself; it was reported that such attacks were previously delivered in which the user was prompted to save it as a [[JavaScript\|.js]] file.<ref>{{cite web \|last1=Constantin \|first1=Lucian \|title=4chan Flood Script Is Back with New Social Engineering Trick \|url=https://news.softpedia.com/news/4chan-Flood-Script-Is-Back-with-New-Social-Engineering-Trick-151603.shtml \|website=Softpedia \|access-date=2021-11-09 \|date=2010-08-10}}</ref> ==Example== This is an example of [["Hello, World!" program\|Hello World]] as an HTML Application. <~~source~~syntaxhighlight lang="~~html4strict~~html"> <HTML> <HEAD> <HTA:APPLICATION ID="HelloExample" BORDER="~~thick~~bold" BORDERSTYLE="complex"/> <TITLE>HTA - Hello World</TITLE> Line 82 ⟶ 81: </BODY> </HTML> </syntaxhighlight> ~~</source>~~ == See also == [[Adobe AIR]] [[Active Scripting]] [[Apache Cordova]] [[Chromium Embedded Framework]] [[Electron (software framework)]] [[Firefox OS]] [[~~PhoneGap~~React Native]] [[XAML Browser Applications]] (XBAPs) [[XUL]] and [[XULRunner]] - a language and environment for Mozilla cross-platform applications that ~~resemble~~resembles the mechanism of HTML Applications. [[Windows Script Host]] ==References== {{~~reflist~~Reflist}} ==External links== * [http://msdn2.microsoft.com/en-us/library/ms531018.aspx HTML Component (HTC) Reference at MSDN]. An HTC encapsulates specific functionality or behavior within HTAs. * [~~http~~https://technet.microsoft.com/en-ca/scriptcenter/default.aspx The Script Center], The Script Center, home of Hey, Scripting Guy! Blog * [~~http~~https://technet.microsoft.com/en-ca/scriptcenter/dd742317.aspx Learn About Scripting for HTML Applications (HTAs)], a tutorial site for learning about HTA's [[Category:Widget engines]]▼ [[Category:User interface markup languages]]▼ [[Category:Internet Explorer]]▼ [[Category:HTML]]▼ {{Internet Explorer}} ▲[[Category:HTML\|Application]] ▲[[Category:Internet Explorer]] ▲[[Category:User interface markup languages]] ▲[[Category:Widget engines]]