Opening a local file in a browser

[Mark Rae]

Hi,

I'm writing a web app in VS.NET 2003, part of which allows users to download
reports in the form of XML documents to their local machine for further
processing. I'm using a 3rd-party Java applet to do this, and it works
perfectly.

However, I'd like to be able to offer users the ability to view the XML
documents once they've downloaded them. I thought I could do this by
providing a simple hyperlink, but I must be doing something wrong because
it's not working.

E.g. let's say they've downloaded a document called 20050122091003.xml into
the root of their C:\ drive. I created a hyperlink control which, when I do
a View Source in the HTML that ASP.NET generates, looks like this:

<a target="_blank"
href="file:///C:/20050122091003.xml">C:\20050122091003.xml</a>

However, when I click it, nothing happens. But, if I take the href portion
of the hyperlink and paste it into the Address box of a browser window, it
opens perfectly.

What am I doing wrong?

Any assistance gratefully received.

Mark Rae

 

[Nicole Calinoiu]

Mark,

This is actually a browser security feature; it has nothing to do with your
application in particular. If the browser in question is IE, the simplest
workaround is usually to add the site to the trusted sites list. Of course,
this should only be done if the site is actually sufficiently trustworthy to
merit this.

HTH,
Nicole

 

[Tarren]

You could achieve the feature this way.

Keep a copy of the file on the server, and stream it to the browser when
they click to view, so it will be a replica of the file they have on their
disk. Since it will be readonly, it will not be an issue.

Or, if the file is small enough, you can keep it in memory and stream it
from memory.

You could just keep the memory on server disk/memory until they confirm/deny
the option to view it on screen to manage server resources.

 

[Mark Rae]

"Nicole Calinoiu" <calinoiu REMOVETHIS AT gmail DOT com> wrote in message

Nicole,

Thanks for the reply.

This is actually a browser security feature; it has nothing to do with
your application in particular.

I see.

If the browser in question is IE, the simplest workaround is usually to
add the site to the trusted sites list.

Yep - that works.

Of course, this should only be done if the site is actually sufficiently
trustworthy to merit this.

Since I'm building the site, I'm confident of its trustworthiness...

Mark

 

[Nicole Calinoiu]

Since I'm building the site, I'm confident of its trustworthiness...

Really? Do you allow any user-provided text to be displayed in any page
without HTML-encoding? If so, your site is probably vulnerable to
cross-site scripting attacks, and it shouldn't be added to the trusted sites
zone. Personally, I make every effort to ensure that my applications
HTML-encode every bit of dynamic text that might end up in any page, but I
still worry since there's always the chance I missed one somewhere...

Other points of potential risk are things like allowing users (even highly
privileged users) to specify the local file to be opened by one of your
file: protocol links. This sort of thing could allow one user to force
local execution of potentially malicious code on another user's computer,
within the context of the launching user's account.

 

[Mark Rae]

You could just keep the memory on server disk/memory until they
confirm/deny the option to view it on screen to manage server resources.

That might be the best solution - thanks.