how to prevent IE to run javascript in txt file

I'm using tomcat 5.0 and IE 6.0.3790.1830.

I created a file test.txt with content:
<script>alert('test_attachment')</script>

I put test.txt under directory "C:\Program Files\Apache Software
Foundation\Tomcat 5.0\webapps\ROOT", then access this file from IE using url:
http://localhost:8080/test.txt, I can see the dialog of 'test_attachment'.

so IE is executing the javascript, instead of using a default txt editor
such as notepad to open test.txt.

But if I use firefox, firefox will display test.txt content, instead of
running the javascript.

For IE, is this as designed? or is there any workaround to let IE display
test.txt content instead of running the javascript?

Thank you!

"serene" <serene@discussions.microsoft.com> wrote in message
news:7B4B900C-0893-4C9A-862D-08A58240C90B@microsoft.com...
> I'm using tomcat 5.0 and IE 6.0.3790.1830.
>
> I created a file test.txt with content:
> <script>alert('test_attachment')</script>
>
> I put test.txt under directory "C:\Program Files\Apache Software
> Foundation\Tomcat 5.0\webapps\ROOT", then access this file from IE using url:
> http://localhost:8080/test.txt, I can see the dialog of 'test_attachment'.
>
> so IE is executing the javascript, instead of using a default txt editor
> such as notepad to open test.txt.
>
> But if I use firefox, firefox will display test.txt content, instead of
> running the javascript.
>

> For IE, is this as designed? or is there any workaround to let IE display
> test.txt content instead of running the javascript?


By default IE does MIME sniffing and ignores the file extension.
So, to see whether IE should be doing that you would have to consider
the Content-type the file is being sent under plus the fact that this
probably looks like HTML when it is scanned.

You could try using the Custom Level Security setting which forces IE
to respect the file extension.


>
> Thank you!


Good luck

Robert Aldwinckle
---

"serene" <serene@discussions.microsoft.com> wrote in message
news:7B4B900C-0893-4C9A-862D-08A58240C90B@microsoft.com...
> I'm using tomcat 5.0 and IE 6.0.3790.1830.
>
> I created a file test.txt with content:
> <script>alert('test_attachment')</script>
>
> I put test.txt under directory "C:\Program Files\Apache Software
> Foundation\Tomcat 5.0\webapps\ROOT", then access this file from IE using
> url:
> http://localhost:8080/test.txt, I can see the dialog of 'test_attachment'.
>
> so IE is executing the javascript, instead of using a default txt editor
> such as notepad to open test.txt.
>
> But if I use firefox, firefox will display test.txt content, instead of
> running the javascript.
>
> For IE, is this as designed? or is there any workaround to let IE display
> test.txt content instead of running the javascript?
>
> Thank you!
>

You may be a victim of Local Machine Lockdown
Local Machine Lockdown
http://www.winxptutor.com/lmzunlock.htm
and
http://www.microsoft.com/technet/pro...on129121120120

or you may need the Mark of the Web:
Mark of the Web:
http://msdn.microsoft.com/library/de...rview/motw.asp
or Rename the page from page.HTM to page.HTA
http://www.microsoft.com/technet/pro...rows.mspx#EIAA

--
Frank Saunders MS-MVP IE,OE/WM
Do not reply with email

Hi, Robert

Thank you very much for the explaination. It works

"Robert Aldwinckle" wrote:

> "serene" <serene@discussions.microsoft.com> wrote in message
> news:7B4B900C-0893-4C9A-862D-08A58240C90B@microsoft.com...
> > I'm using tomcat 5.0 and IE 6.0.3790.1830.
> >
> > I created a file test.txt with content:
> > <script>alert('test_attachment')</script>
> >
> > I put test.txt under directory "C:\Program Files\Apache Software
> > Foundation\Tomcat 5.0\webapps\ROOT", then access this file from IE using url:
> > http://localhost:8080/test.txt, I can see the dialog of 'test_attachment'.
> >
> > so IE is executing the javascript, instead of using a default txt editor
> > such as notepad to open test.txt.
> >
> > But if I use firefox, firefox will display test.txt content, instead of
> > running the javascript.
> >
>
> > For IE, is this as designed? or is there any workaround to let IE display
> > test.txt content instead of running the javascript?
>
>
> By default IE does MIME sniffing and ignores the file extension.
> So, to see whether IE should be doing that you would have to consider
> the Content-type the file is being sent under plus the fact that this
> probably looks like HTML when it is scanned.
>
> You could try using the Custom Level Security setting which forces IE
> to respect the file extension.
>
>
> >
> > Thank you!
>
>
> Good luck
>
> Robert Aldwinckle
> ---
>
>
>