locked
WebView content potentially dangerous to app?

    Question

  • I'm using a WebView in my app.

    I've run across one particular html page (local, not on web, but downloaded, with links to external images) via my e-mail app where after displaying this message (which works fine) the next thing the user clicks on (specifically, any other message) will result in a freeze. 

    If I click on any of the other messages (and display them in webview) without clicking on this message, they will display fine and there is no freeze.  It's only after displaying that one message that the next thing will freeze.

    The freeze is not happening in my code, it happens when DONE preprocessing the next message (in my code) for display (that is, it gets to the end of that function, but never returns to the calling function as I stepped thru it).

    It sounds like what I expect would happen if the call stack was somehow corrupted, but I thought that couldn't happen in C# as easily because it's managed code.  The only thing I can think of that might not be safe is the WebView control.

    The only fix I can think of is to try not displaying images by default.  Does anyone else have ideas/suggestions that they're willing to share.


    -Rob

    Tuesday, August 5, 2014 12:48 PM

Answers

  • Not that it's right, but the malformed HTML is causing this problem. Here's where it gets malformed:

    ...
    </html> EVERYTHING AFTER THIS IS BAD HTML
    \n<br>  <br> <br> \n\n<a href=\"http://www.gunsling.info/2iTkPt9PgxlN9tOQ8UKy8rRhhFS5joN9ehx95iPE1UVJelMv16XVZ9Stf9fSCfYWkiHDDCEsgNxD5CQTHDqY67Q%253D%253D\" TARGET=\"_blank\">A\n</font><font face=\"Arial, Helvetica, sans-serif\" size=\"1\" ><center>NETWORK NOW Email Unsubscribe \nPO Box 17598	<Baltimore	MD	21297-1598

    If you validate your HTML before navigating to it, I don't think you'll have this problem.  I'll file a bug against this as well.


    Matt Small - Microsoft Escalation Engineer - Forum Moderator
    If my reply answers your question, please mark this post as answered.

    NOTE: If I ask for code, please provide something that I can drop directly into a project and run (including XAML), or an actual application project. I'm trying to help a lot of people, so I don't have time to figure out weird snippets with undefined objects and unknown namespaces.

    • Marked as answer by Rob Wilkens Thursday, August 7, 2014 5:43 PM
    Thursday, August 7, 2014 3:39 PM
    Moderator

All replies

  • Can you get a dump when it's hanging, and share it here?

    Matt Small - Microsoft Escalation Engineer - Forum Moderator
    If my reply answers your question, please mark this post as answered.

    NOTE: If I ask for code, please provide something that I can drop directly into a project and run (including XAML), or an actual application project. I'm trying to help a lot of people, so I don't have time to figure out weird snippets with undefined objects and unknown namespaces.

    Tuesday, August 5, 2014 7:55 PM
    Moderator
  • Can I post binaries here, and if so. How?

    I have a dump and I also have inbox data files containing message which I can also share if it helps.


    -Rob

    Tuesday, August 5, 2014 8:44 PM
  • Can I post binaries here, and if so. How?

    I have a dump and I also have inbox data files containing message which I can also share if it helps.


    -Rob

    I created the dump file, but it's 96MB so posting it online would be difficult.

    I can see from the stack trace *in* the dumpfile that it is stuck on:

    DisplayedMessage.NavigateToString(LastMessageRead.DisplayedContent);

    DisplayedMessage is the WebView, NavigateToString is telling it to load the string as a web page, and LastMessageRead.DisplayedContent is the html-content of the message.

    There is one function higher than NavigateToString in the stack trace, but I can only see it (debugging w/ managed only) as "[Managed to Native Transition]".  I will post a follow up after I debug with mixed if I find anything interesting about where in native code it is stuck.

    The string-html message would normally open fine, but it's AFTER it loads a particular message, and then goes to NavigateToString on the same message that there is a problem.


    -Rob

    Tuesday, August 5, 2014 11:11 PM
  • The below is from debugging with mixed mode.. It's the stack trace starting at MsgClick and DisplayMessage which are functions I wrote in my code, but it's stuck somewhere seemingly waiting

      ntdll.dll!_NtWaitForSingleObject@12() Unknown
      KERNELBASE.dll!_WaitForSingleObjectEx@12() Unknown
      KERNELBASE.dll!_WaitForSingleObject@8() Unknown
      mshtml.dll!CDwnTaskExec::DelTask() Unknown
      mshtml.dll!CHtmLoad::Passivate() Unknown
      mshtml.dll!CBaseFT::Release(void) Unknown
      mshtml.dll!CDwnInfo::SetLoad() Unknown
      mshtml.dll!CHtmCtx::SetLoad() Unknown
      mshtml.dll!CMarkup::ExecStop() Unknown
      mshtml.dll!CDoc::DoNavigate() Unknown
      mshtml.dll!CDoc::FollowHyperlink2() Unknown
      mshtml.dll!CWindow::SuperNavigateInternal() Unknown
      mshtml.dll!CWindow::SuperNavigate2WithBindFlags(struct IUri *,unsigned short *,unsigned short *,unsigned short *,struct tagVARIANT *,struct tagVARIANT *,unsigned long,unsigned long,struct IBindCtx *,int *) Unknown
      mshtml.dll!CWebPlatform::Navigate() Unknown
      mshtml.dll!CCoreWebView::NavigateToString(unsigned short *) Unknown
      Windows.UI.Xaml.dll!DirectUI::CoreWebViewHost::NavigateToStringImpl(HSTRING__ * hstrNavigationString) Line 4457 C++
      Windows.UI.Xaml.dll!DirectUI::WebView::NavigateToStringImpl(HSTRING__ * hstrNavigationString) Line 366 C++
      Windows.UI.Xaml.dll!DirectUI::WebViewGenerated::NavigateToString(HSTRING__ * text) Line 85380 C++
      [Managed to Native Transition] 
    > fMail.exe!fMail.MainPage.DisplayMessage() Line 4031 C#
      fMail.exe!fMail.MainPage.MsgClick(object sender, Windows.UI.Xaml.RoutedEventArgs e) Line 3962 C#


    -Rob

    Tuesday, August 5, 2014 11:15 PM
  • When I say "but it's stuck somewhere seemingly waiting" I mean in code initiated by mshtml.dll... That is, it's not my code that is stuck, but rather the mshtml.dll code that is stuck.

    -Rob

    Wednesday, August 6, 2014 11:22 AM
  • Below is the message (displayed with WebView.NavigateToString) which causes the -next- WebView.NavigateToString fail every time.. Yes, it is spam, no i'm not spamming the group, but I need to post this here to demonstrate which message fails

    <html>
      <head>
      </head>
      <body>
    <br><div>
     <a href="http://www.gunsling.info/1iv0bvnVWqmfal9r6rSdC5AhZz5GKbBeDD189B%252F9xiAHivMrlVjscTR973qjKSbFlmoa4oqFBITzrfGEF%252B2MzvUtI%252FhGNXYYfyAvIYhrg8wEW%252BW%252FZwwXLLTd96mwXuoGhGAGTXuyRz8DTm62HlUR5nStCuyEg%252FS%252Foly3uL0YuS2hvysPdbWO8uP5LB2ry2zQ2KPRN8E4r6RIeaFgPHWuAnA%253D%253D" TARGET="_blank"></font><font face="Arial, Helvetica, sans-serif" size="2" >
    Get the experience of  A  l i f e t i m e  with an  African Safari!  <br> 
    
    <br>          <a href="http://www.gunsling.info/1iv0bvnVWqmfal9r6rSdC5AhZz5GKbBeDD189B%252F9xiAHivMrlVjscTR973qjKSbFlmoa4oqFBITzrfGEF%252B2MzvUtI%252FhGNXYYfyAvIYhrg8wEW%252BW%252FZwwXLLTd96mwXuoGhGAGTXuyRz8DTm62HlUR5nStCuyEg%252FS%252Foly3uL0YuS2hvysPdbWO8uP5LB2ry2zQ2KPRN8E4r6RIeaFgPHWuAnA%253D%253D" TARGET="_blank"><img src="http://www.gunsling.info/2HU1JescJC9WaK76jv1o8aGAC%252B0EAOHj3%252F6jvEeR%252Fq9zUwJDyvGoVTNHGWh8RykY0lhFNO3SvMlZ577JTbdf8RQ%253D%253D"></a><br><div>
    
              <a href="http://www.gunsling.info/1iv0bvnVWqmfal9r6rSdC5AhZz5GKbBeDD189B%252F9xiAEe4s0X%252FWE%252Bv1T7uZE7mvpw8zWvbln0jLQujxQgs3GHaA%253D%253D" TARGET="_blank"><img src="http://www.gunsling.info/2I4uo7iDo8R34IeV5esxzXSpx4PsiCzb8aqn%252B57Q0KS%252FxUfAingqSNtSEEP4tzwVEQ6XVEtbuUjUH8%252FG%252BYRANGw%253D%253D"></a><br><div>
     
              <a href="http://www.gunsling.info/2iTkPt9PgxlN9tOQ8UKy8rRhhFS5joN9ehx95iPE1UVJelMv16XVZ9Stf9fSCfYWkiHDDCEsgNxD5CQTHDqY67Q%253D%253D" TARGET="_blank"><img src="http://www.gunsling.info/2oD9pxy7JeXyw32Yp3ekhBeGbj3g7bPHho9enphZFOP7kGKII2laOq026ltxtm5c9vnNutD1lw3RSI21h70cg%252Bg%253D%253D"></a><br>
    
    <div><br><div><br>
      </body>
    </html>
    
    
    <br>  <br> <br> 
    
    
    <a href="http://www.gunsling.info/2iTkPt9PgxlN9tOQ8UKy8rRhhFS5joN9ehx95iPE1UVJelMv16XVZ9Stf9fSCfYWkiHDDCEsgNxD5CQTHDqY67Q%253D%253D" TARGET="_blank">A
    </font><font face="Arial, Helvetica, sans-serif" size="1" ><center>
    NETWORK NOW Email Unsubscribe 
    PO Box 17598	<Baltimore	MD	21297-1598


    -Rob


    • Edited by Rob Wilkens Wednesday, August 6, 2014 12:11 PM html was cut off
    Wednesday, August 6, 2014 12:08 PM
  • Post it to OneDrive and share the link here.

    Matt Small - Microsoft Escalation Engineer - Forum Moderator
    If my reply answers your question, please mark this post as answered.

    NOTE: If I ask for code, please provide something that I can drop directly into a project and run (including XAML), or an actual application project. I'm trying to help a lot of people, so I don't have time to figure out weird snippets with undefined objects and unknown namespaces.

    Wednesday, August 6, 2014 1:14 PM
    Moderator
  • [link deleted]

    (hopefully I did above correct)

    Thread ID 4596 seems to be the thread where I call NavigateToString in DisplayMessage


    -Rob


    • Edited by Rob Wilkens Thursday, August 7, 2014 6:09 PM removed onedrive link
    Wednesday, August 6, 2014 1:24 PM
  • [removed onedrive link]

    (hopefully I did above correct)

    Thread ID 4596 seems to be the thread where I call NavigateToString in DisplayMessage


    -Rob

    I should point out the filename is "fmail 080514.zip" or something very close to that.

    -Rob


    • Edited by Rob Wilkens Thursday, August 7, 2014 6:09 PM removed onedrive link
    Wednesday, August 6, 2014 5:55 PM
  • Ok, I posted the dump file yesterday, against my better judgment.  It's still up for now.  Can I get a confirmation that someone is looking into this?  Should I file an e-mail support request rather than forums?

    -Rob


    -Rob

    Thursday, August 7, 2014 10:42 AM
  • Rob - I'm looking at this now. 

    Matt Small - Microsoft Escalation Engineer - Forum Moderator
    If my reply answers your question, please mark this post as answered.

    NOTE: If I ask for code, please provide something that I can drop directly into a project and run (including XAML), or an actual application project. I'm trying to help a lot of people, so I don't have time to figure out weird snippets with undefined objects and unknown namespaces.

    Thursday, August 7, 2014 1:07 PM
    Moderator
  • Can you send me the content of the email that causes the hang? 

    Matt Small - Microsoft Escalation Engineer - Forum Moderator
    If my reply answers your question, please mark this post as answered.

    NOTE: If I ask for code, please provide something that I can drop directly into a project and run (including XAML), or an actual application project. I'm trying to help a lot of people, so I don't have time to figure out weird snippets with undefined objects and unknown namespaces.

    Thursday, August 7, 2014 1:45 PM
    Moderator
  • I already did a few messages back in this thread (the quoted html spam).  That message actually does not cause the freeze, it's whatever message that follows it that causes the problem.  i.e. first you NavigateToString on the above message, then you navigateToString on virtually anything else.

    Do you want me to post the program data files from LocalState directory?

    Want me to try to create a smaller test program that isolates this problem?  I might be able to throw a WebView and two buttons where one button navigates to the troubled message, and the next button navigates to just about anything else?


    -Rob

    Thursday, August 7, 2014 1:48 PM
  • using System;
    using System.Collections.Generic;
    using System.IO;
    using System.Linq;
    using System.Runtime.InteropServices.WindowsRuntime;
    using Windows.Foundation;
    using Windows.Foundation.Collections;
    using Windows.UI.Xaml;
    using Windows.UI.Xaml.Controls;
    using Windows.UI.Xaml.Controls.Primitives;
    using Windows.UI.Xaml.Data;
    using Windows.UI.Xaml.Input;
    using Windows.UI.Xaml.Media;
    using Windows.UI.Xaml.Navigation;
    
    // The Blank Page item template is documented at http://go.microsoft.com/fwlink/?LinkId=234238
    
    namespace App1
    {
        /// <summary>
        /// An empty page that can be used on its own or navigated to within a Frame.
        /// </summary>
        public sealed partial class MainPage : Page
        {
            public MainPage()
            {
                this.InitializeComponent();
            }
    
            private void Button_Click(object sender, RoutedEventArgs e)
            {
              
                MessageView.NavigateToString("<html>\n  <head>\n  </head>\n  <body>\n<br><div>\n <a href=\"http://www.gunsling.info/1iv0bvnVWqmfal9r6rSdC5AhZz5GKbBeDD189B%252F9xiAHivMrlVjscTR973qjKSbFlmoa4oqFBITzrfGEF%252B2MzvUtI%252FhGNXYYfyAvIYhrg8wEW%252BW%252FZwwXLLTd96mwXuoGhGAGTXuyRz8DTm62HlUR5nStCuyEg%252FS%252Foly3uL0YuS2hvysPdbWO8uP5LB2ry2zQ2KPRN8E4r6RIeaFgPHWuAnA%253D%253D\" TARGET=\"_blank\"></font><font face=\"Arial, Helvetica, sans-serif\" size=\"2\" >\nGet the experience of  A  l i f e t i m e  with an  African Safari!  <br> \n<br>          <a href=\"http://www.gunsling.info/1iv0bvnVWqmfal9r6rSdC5AhZz5GKbBeDD189B%252F9xiAHivMrlVjscTR973qjKSbFlmoa4oqFBITzrfGEF%252B2MzvUtI%252FhGNXYYfyAvIYhrg8wEW%252BW%252FZwwXLLTd96mwXuoGhGAGTXuyRz8DTm62HlUR5nStCuyEg%252FS%252Foly3uL0YuS2hvysPdbWO8uP5LB2ry2zQ2KPRN8E4r6RIeaFgPHWuAnA%253D%253D\" TARGET=\"_blank\"><img src=\"http://www.gunsling.info/2HU1JescJC9WaK76jv1o8aGAC%252B0EAOHj3%252F6jvEeR%252Fq9zUwJDyvGoVTNHGWh8RykY0lhFNO3SvMlZ577JTbdf8RQ%253D%253D\"></a><br><div>\n          <a href=\"http://www.gunsling.info/1iv0bvnVWqmfal9r6rSdC5AhZz5GKbBeDD189B%252F9xiAEe4s0X%252FWE%252Bv1T7uZE7mvpw8zWvbln0jLQujxQgs3GHaA%253D%253D\" TARGET=\"_blank\"><img src=\"http://www.gunsling.info/2I4uo7iDo8R34IeV5esxzXSpx4PsiCzb8aqn%252B57Q0KS%252FxUfAingqSNtSEEP4tzwVEQ6XVEtbuUjUH8%252FG%252BYRANGw%253D%253D\"></a><br><div> \n          <a href=\"http://www.gunsling.info/2iTkPt9PgxlN9tOQ8UKy8rRhhFS5joN9ehx95iPE1UVJelMv16XVZ9Stf9fSCfYWkiHDDCEsgNxD5CQTHDqY67Q%253D%253D\" TARGET=\"_blank\"><img src=\"http://www.gunsling.info/2oD9pxy7JeXyw32Yp3ekhBeGbj3g7bPHho9enphZFOP7kGKII2laOq026ltxtm5c9vnNutD1lw3RSI21h70cg%252Bg%253D%253D\"></a><br>\n<div><br><div><br>\n  </body>\n</html>\n<br>  <br> <br> \n\n<a href=\"http://www.gunsling.info/2iTkPt9PgxlN9tOQ8UKy8rRhhFS5joN9ehx95iPE1UVJelMv16XVZ9Stf9fSCfYWkiHDDCEsgNxD5CQTHDqY67Q%253D%253D\" TARGET=\"_blank\">A\n</font><font face=\"Arial, Helvetica, sans-serif\" size=\"1\" ><center>NETWORK NOW Email Unsubscribe \nPO Box 17598	<Baltimore	MD	21297-1598");
            }
    
            private void Button_Click_1(object sender, RoutedEventArgs e)
            {
                MessageView.NavigateToString("Worked?");
            }
        }
    }
    

    The above was on a xaml page I created which had two buttons and a WebView (MessageView as named above.  It is enough to reproduce the problem, first click button 1 to call button_click then click button 2 which calls button_click_1 and freezes.

    -Rob

    Thursday, August 7, 2014 2:02 PM
  • If you can confirm that you can reproduce the problem with the smaller sample code, I would like to take the dump file off of skydrive/onedrive.

    I will soon be going out for about 1-2 hours and will not be able to respond other than short messages from phone.


    -Rob

    Thursday, August 7, 2014 2:51 PM
  • https://onedrive.live.com/redir?resid=E13DC9CBA1B5409D%2118669

    Above is the sample code in a project file App1.zip  ..  By sample code I mean the short sample I most recently provided.


    -Rob

    Thursday, August 7, 2014 3:06 PM
  • I can reproduce it.

    Matt Small - Microsoft Escalation Engineer - Forum Moderator
    If my reply answers your question, please mark this post as answered.

    NOTE: If I ask for code, please provide something that I can drop directly into a project and run (including XAML), or an actual application project. I'm trying to help a lot of people, so I don't have time to figure out weird snippets with undefined objects and unknown namespaces.

    Thursday, August 7, 2014 3:23 PM
    Moderator
  • Not that it's right, but the malformed HTML is causing this problem. Here's where it gets malformed:

    ...
    </html> EVERYTHING AFTER THIS IS BAD HTML
    \n<br>  <br> <br> \n\n<a href=\"http://www.gunsling.info/2iTkPt9PgxlN9tOQ8UKy8rRhhFS5joN9ehx95iPE1UVJelMv16XVZ9Stf9fSCfYWkiHDDCEsgNxD5CQTHDqY67Q%253D%253D\" TARGET=\"_blank\">A\n</font><font face=\"Arial, Helvetica, sans-serif\" size=\"1\" ><center>NETWORK NOW Email Unsubscribe \nPO Box 17598	<Baltimore	MD	21297-1598

    If you validate your HTML before navigating to it, I don't think you'll have this problem.  I'll file a bug against this as well.


    Matt Small - Microsoft Escalation Engineer - Forum Moderator
    If my reply answers your question, please mark this post as answered.

    NOTE: If I ask for code, please provide something that I can drop directly into a project and run (including XAML), or an actual application project. I'm trying to help a lot of people, so I don't have time to figure out weird snippets with undefined objects and unknown namespaces.

    • Marked as answer by Rob Wilkens Thursday, August 7, 2014 5:43 PM
    Thursday, August 7, 2014 3:39 PM
    Moderator
  • Thank you - I am hoping for a patch that fixes this as I'm not sure how to validate html when I am not the author of the html nor can I guess who is.   I could probably easily truncate the string at the "</html>" marker easy enough, which would at least solve this one case.

    Can I get notification when/if a fix is available?

    Rob


    -Rob

    Thursday, August 7, 2014 5:33 PM
  • I added the code to strip everything after a (converted to upper case with ToUpper()) "</HTML>" (combining use of SubString and IndexOf)..

    That seems to solve this particular problem for me, I'm submitting an update for my app shortly which includes this.

    I would love to see this actually fixed in Windows though, so it does not freeze if something else gets through that I did not catch.


    -Rob

    Thursday, August 7, 2014 5:46 PM