Html user interface

Here you can discuss ReactOS related topics.

Moderator: Moderator Team

BrandonTurner
Developer
Posts: 66
Joined: Tue Jan 11, 2005 1:42 am

Post by BrandonTurner »

mshtml the base of the windows html rendering is one of the files that is always patched because of security threats on windows. once you open a door to your operating system based on html and other apps start to use it for there html rendering snicking stuff that shouldnt be in there into becomes much eaiser and if it isnt coded PERFECT who knows what will happen when someone makes code to break it. granted windows asked for trouble when they let activex tie into it as well allow even more access to it with even more flawed code, if you are going to make html render that is linked the OS you need to make sure that A) it is perfect and will never allow anything it shouldnt and B) anything that is written to use it including third party apps not part of the OS are coded perfect not to let stuff filter into it.
Stead
Posts: 163
Joined: Mon Nov 29, 2004 3:00 pm

Post by Stead »

just out of interest, how can a html engine make a computer more likely to be attacked?

it is in my opinion a html engine simply processes html, and has nothing to do with the actual os, networking functions, elite 'hax0rs' hacking ur computer n what not
Quigs
Posts: 78
Joined: Sat Dec 04, 2004 7:24 am
Location: USA

Post by Quigs »

to the security issue....

Lets write the interface in C, because thats more secure and nobody makes mistakes writting C.

<bit of sarcasm, doesnt exactly work, but I think you should get the point>

My vote is for HTML, or something similar. Because I highly like the idea of being able to download something and have a nice new interface for configuring something.
Perhaps running a completely seperate program that does not have web browsing capability? and for the implementation, this seperate program will simply call regedit to change the values for it..

Sounds like an awesome plan to me... (blow holes in it)
Phalanx
Posts: 360
Joined: Sun Dec 19, 2004 12:42 am
Location: Australia

Post by Phalanx »

BrandonTurner wrote:mshtml the base of the windows html rendering is one of the files that is always patched because of security threats on windows. once you open a door to your operating system based on html and other apps start to use it for there html rendering snicking stuff that shouldnt be in there into becomes much eaiser and if it isnt coded PERFECT who knows what will happen when someone makes code to break it. granted windows asked for trouble when they let activex tie into it as well allow even more access to it with even more flawed code, if you are going to make html render that is linked the OS you need to make sure that A) it is perfect and will never allow anything it shouldnt and B) anything that is written to use it including third party apps not part of the OS are coded perfect not to let stuff filter into it.
The same goes for a C engine, so there is no real reasons in here. One thing was that the mshtml engine ment other programs could use it and less places for more security holes.
Floyd
Posts: 300
Joined: Sat Nov 27, 2004 7:45 am
Location: The frozen part of the USA

HTML or not ...

Post by Floyd »

I personally think a MMC type interface for the applets would rock.

I don't really care if it's HTML for the interface or not; though I do like the idea of being able to customize HTML interfaces for distributions for schools and the like ....
pax mei amici amorque et Iesus sacret omnia
Toxigenicpoem
Posts: 29
Joined: Wed Jan 26, 2005 6:48 pm

Post by Toxigenicpoem »

Phalax hit it, either way we need to have a viable HTML render embedded in the system. Either Via installation options or not. Most of the modern software is using embedded HTML in the programs to display information. (i.e. World of Warcraft).

We obviously know that coding a HTML engine is a tedious process, and why re-invent the wheel when we don't have to. It would be nice to have the Gecko engine intergrated into the system. And they already have an ACTIVE-X control, which means for the ROS development team, lots less time writing wrappers for MSHTML requests, because it has already been done..
integrating an html render into the OS was one of the dowfalls of windows.
I wouldn't say it was the intergrating that is leading to the downfall, as much as the improper implimentation, and delayed fixes. Due to the coding structure of Windows, and the intended use of MSHTML for the Windows system, it left a lot of security holes. The MSHTML engine can be spoofed to allow files that are on the system to be re-run through a hidden frame. When they are run, a simple Domain Refeer spoof can be used, which now makes the script behave as if it had Admin rights. Its all a nightmare, and I def. do not want to see this happen in ROS.

We gotta have one. :)
e7
Posts: 92
Joined: Thu Dec 09, 2004 8:32 pm
Location: In Bayern ganz oben

Post by e7 »

I would choose the XUL engine and/or syntax from Mozilla (for all who have Mozilla/Firefox: http://www.mozilla.org/projects/xul/tests/buttons.xul )
BrandonTurner
Developer
Posts: 66
Joined: Tue Jan 11, 2005 1:42 am

Post by BrandonTurner »

Stead wrote:just out of interest, how can a html engine make a computer more likely to be attacked?

it is in my opinion a html engine simply processes html, and has nothing to do with the actual os, networking functions, elite 'hax0rs' hacking ur computer n what not
trust me, when you give something admin rights and let other people build their own programs off it, people will find a way to break it so they can us it forwhatever they want. usually a buffer over flow or sorts will allow their own code to be excuted. people can figure anything out really, like the gdi problem that allowed scripting in jpg files, or when they found out how to excute code out of a midi file. dont put anything past these elite 'hax0rs' you want to give no credit to.


want to see the secuirty patched that had to do with mshtml:

http://www.google.com/search?hl=en&lr=& ... tnG=Search
Toxigenicpoem
Posts: 29
Joined: Wed Jan 26, 2005 6:48 pm

Post by Toxigenicpoem »

I agree :) They have already hacked the Ipod.. 'closed-platform' hardware. http://ipodlinux.org
BrandonTurner
Developer
Posts: 66
Joined: Tue Jan 11, 2005 1:42 am

Post by BrandonTurner »

yeah anything can be done, thats what im saying. they found bugs in video games that allow you to put linux on an xbox without extra hardware. if there is a problem witht he sftware it is a huge threat. thats all im saying, im not saying it isnt a bad idea, just that it was one of the downfalls of windows no matter how you look at it.
AcetoliNe
Posts: 115
Joined: Wed Jan 05, 2005 10:53 pm
Location: a thousand miles from Hinterland
Contact:

Post by AcetoliNe »

just out of interest, how can a html engine make a computer more likely to be attacked?
Quite easily. The problem is not so much the html (buffer overflows and faulty libraries aside) as it is one component which has probably caused the most damage to windows in history:
(queue the ominous background music)

ActiveX.

ActiveX has been part of Internet Explorer for quite a while, and only recently has microsoft realized it's dangers and tried to contain it somewhat. Everything from spyware to system shutdowns can be created with it, which makes it a favourite for hackers.
caveman LIKES chocolate.
we shall reinvent the wheel until it turns properly.
SirTalon
Posts: 67
Joined: Sun Nov 28, 2004 8:53 pm

Post by SirTalon »

Window's downfall security wise was being too integrated (with out the parts being modular, integration itself isn't bad, look at KDE). I think the Control Panel SHOULD be written in C/C++, since it will be MUCH smaller, and MUCH faster. It should be run with the same permissions as the user that opened it, that way buffer over flows and the like won't be a problems, since there will be nothing achieved by doing them (no privilege escalation).

Generally the control panel is only used for system /administration/, meaning there wouldn't really be a reason to rebrand it with a school or company logo since only the administrators that put the logo in would ever see it. (OEMs may want to cause they like to rebrand everything with their logo on it for free advertisements)
Len
Posts: 4
Joined: Wed Feb 02, 2005 10:37 pm

Post by Len »

Hi,
I check the ReactOS site for about half a year now, and I finally decided to take part in the forums.
I tried over 40 linux distros, including making my own just to find a replacement for Windows and found out that they are either too incompatible or too hard to use for most purposes (sure, you can make a clean nice interface, but what if you actually want to install a new app?). BSD is quicker as Linux, yet still has the above problems. SkyOS is nice, but not much software available for that one. All other OSses, except for the Mac OS (I'm a Macintosh user, but install/repair/customize every operating system (*nix, DOS, Be, etc) and hardware for a living until I find a nice school) have similar problems. And telling people to buy a $600 Mac isn't an option in most cases. and, if money is a factor, companies rather use a free OS.

So, that's how I came here. Now, to take part in this discussion (forgive if I'm sounding harsh, that's my way of keeping a discussion going :D, ow, and my English isn't perfect as well):

HTML is certainly not required to create a 'nice' or 'customizable' interface. In fact I think it is too limited for that purpose.
Things like an 'Active Desktop' drive users crazy. Most don't know how to get pictures off their 'Active Desktop' when they accidently added some, and all other features, like the HTML rendering in folders take up screen space and speed, not to mention confusing users. And those "set up your..." wizards really are a disaster. In other words, I hate the Internet Exploder integration in Windows. And it isn't even necessary, except for a few shitty 'programs' that doesn't run in ReactOS because they'll require ActiveX anyway.
how can a html engine make a computer more likely to be attacked?
A plain HTML engine (and I mean one without networking) can't I guess, but ActiveX, Java, etc...

Anyway, if you need to write your own HTML rendering engine, why not adding something nicer? HTML is very limited and relatively slow. It is also not a thing the end user can and will customize. Adding your own scripting language that add interface objects and creating an editor for it will give both the 'power-user' and newbie a much easier and more powerful customization tool.
Lets write the interface in C, because thats more secure and nobody makes mistakes writting C.
Oops, I accidently wrote some working network code that compiles without error and accidently installs itself into the ReactOS core to allow spyware and alike to be able to install and integrate themselves with the system just by visiting a web page and/or opening an email message!

Point is, if you create such a 'html renderer' (read: integration of Internet Explorer within every part of windows, including java, ActiveX, etc) as used in Windows ... well, fill in the rest yourself. I guess you'll understand now, although I'm very curious about what features you want to have in ReactOS that are accomplished by the IE integration. Guess that makes more sense as discussing HTML implementation since most features can be done in other easier ways as well, without HTML and ActiveX. Do not hestitate to correct me if I'm wrong though :).
Because I highly like the idea of being able to download something and have a nice new interface for configuring something.
Why do you need HTML for that?
Sorry, but ReactOS is going to need one no matter what to be a windows replacement. There is already Gekko anyway.
Again, why? For compatibility it doesn't require such an engine, and for a user-friendly interface it is a disaster. ReactOS needs to be a Windows replacement, yes. But this doesn't mean things have to be the same, heck, almost every part in Windows needs improvement and the user interface is high on my priority list.

Look at a system such as Mac OS X (no matter if you like the system or not), it doesn't have HTML in the GUI, yet it is very clear, user friendly and highly customizable. Heck, they even included an "interface builder" with the developer tools where you can build an interface like you draw with a painting program and then link it to your program, but also to simple scripts. This system does have an XML renderer as plugin, for use with the help viewer. A consistent, clear, fast yet still highly customizable interface isn't something to make with HTML, really. Mac users use six times the applications as Windows users do, while most of those apps have more features as their windows counterparts as well. This is just because that OS has a much easier, but also, common interface so people learn it quicker, and feel in control of their machine so go to explore new apps.
Windows could be the same. ReactOS hopfully WILL become something like that.

EDIT: whoops, took my long to post this (actually switched doing something else before finishing this) that two people replied with similar things already. Nah, not going to edit them out ;-).
Quigs
Posts: 78
Joined: Sat Dec 04, 2004 7:24 am
Location: USA

Post by Quigs »

My idea had absolutely no activeX in it... its just that many people already have experience with html,
Quote:
Because I highly like the idea of being able to download something and have a nice new interface for configuring something.


Why do you need HTML for that?
So that it flows well with the rest of the configurable options in ROS. I absolutely hate when, for example printer software have their own custom way to do everything. It does not have to be html, IT JUST CAN NOT BE THE SAME as the browser ROS will use for other things.

clarification of not the same....lets say we make a watered down version of firefox for configuring stuff and we use it for internet too..
we will have
  • \Program Files\Firefox - same old Firefox
    \system32\FirefoxAdmin - Firefox System Configuration Version
Last edited by Quigs on Thu Feb 03, 2005 5:13 am, edited 1 time in total.
uniQ
Posts: 246
Joined: Sat Dec 04, 2004 8:58 am

Post by uniQ »

2 minor comments:

It's "Firefox', no 2nd capital "F".

Can you put that link in [url = ]here[/ url] tags? Now it's making the page sidescroll annoyingly.

We now return to your reguarly scheduled discussion:

Thanx

-uniQ
Coming on, coming up, let me help ROS and I'll be able to look @ a life well used.
Post Reply

Who is online

Users browsing this forum: No registered users and 46 guests