delphi prevent access files from TwebBrowser

I use TEmbeddedWB (internet explorer activex) in my projects.

I want to prevent people from uploading files:

ex: goto gmail.com and then attch a file: Internet explorer opens the开发者_如何学运维 upload file windows that allows people to access local disk.

Is there a simple way to prevent this windows from being displayed ?

Regards

It sounds like you are trying to "sandbox" your app so that your users cannot access the local file system. Perhaps you're building an app that is hosted on Citrix with multiple users, and if one of them "breaks out" of the app, they can run rampant through the file system on the server.

I don't know if there is a simple answer to this particular question, but I recommend that you look at the total problem before trying to solve the individual issues, as you may find that there are just too many. For instance, in the browser ActiveX, you can also "view source". That probably opens Notepad on the server. From there, you can run rampant. Do you have CHM help? From the help window, you can also access the "open file" dialog. Do you allow the user to open/save files through your regular menus? Same issue. How about hyperlinks? If your About box has a hyperlink, that's an easy way to pop open a browser. Can the user enter an address for browsing in your embedded ActiveX? If so, can they enter things like: C:\WINDOWS\system32\cmd.exe

You could decouple the navigation, do it yourself, sanitize the HTML then display the sanitized version. Unfortunately you would have to do this for ALL resources and would need to handle the numerous JavaScript libraries. For basic HTML, look for <input type="file". This would at least catch the basic usage, but not the more advanced usage.

A simpler solution might be to limit what URL's the browser can navigate too and only allow URL's you know are safe.

Assuming you don't want them to browse the local machine, if you solve the "open file" problem the same issue exists if you have a "save file" dialog. You may have to close those loops by replacing the browser popup menu with one that does not have any "Save x As..." options.