Script error invalid character using the WebBrowser control RRS feed

  • Question

  • One of our applications was broken after installing IE7. We narrowed the problem down to the below:

    WebBrowser browser = new WebBrowser();
    browser.DocumentText = "<script src=\"file://c:\test\foo.js\"></script><p>test</p>";

    This code works fine under IE6, but when running on IE7 you get the error:
    Line: 2
    Error: Invalid Character
    Code: 0
    URL: about:blank

    It doesn't matter what is in the foo.js file, it can be completely blank and you will get the error. If you replace the file://c:\test\foo.js with a valid http URL (Internet zone), it works fine. If you create a file with the contents and load it into the control using browser.Navigate() it also loads fine. So it seems related to security.

    Any ideas? This repros 100% on WinXP SP2 with IE7 Final.



    Friday, October 20, 2006 3:00 AM

All replies

  • but what about getting the same error message here: ?

    i hope now we'll get faster an answer

    Sunday, October 22, 2006 6:31 AM
  • There are some new information disclosure fixes in IE 7 that disallow arbitrary usage of the file system for loading of scripts. There are several fixes available to get you up and running. First, don't use an internet zone page for the content, instead load a dummy HTML page from disk to put the browser control into the local machine zone. Then you can load from the local machine zone just fine.

    The second is to show intent that you don't mind allowing web-sites arbitrary access to scripts on your local machine by setting a feature control key. Some applications don't load internet content and so aren't vulnerable and so the usage of the key is a valid fix:

    HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT (registry key)

    MyAppName.exe:DWORD(0x0) (registry value)

    Hopefully one of these options is suitable for your scenario. We warn against setting the feature control key for your application unless you are sure that internet content is not going to be loaded by your application.

    Sunday, October 22, 2006 6:44 PM
  • Justin -- thanks for the suggestion.

    We tried the following:

    WebBrowser browser = new WebBrowser();
    browser.Navigate(@"c:\test\blank.html");     // suggestion 1: try put the browser in local machine mode
    browser.DocumentText = "<script src=\"file://c:\test\foo.js\"></script><p>test</p>";     // still yields same script error

    We also added some code to make sure the navigate was complete before setting the DocumentText for good measure but that did not make a difference, we get the same script error.

    It looks like when you do a document.write() it blows away the context altogether. As a host of the control, I would think there would be a programmatic way to control the zone security policy. Changing the registry is not really a good option since we also show some real web pages.

    This seems like a very common scenario for MSHTML -- generate some dynamic content in memory which references scripts. I'm surprised this doesn't break applications like Money, etc. We really would like to avoid writing to a temporary file each time, although that does solve the problem.




    Monday, October 23, 2006 12:27 AM
  • The document write may indeed blow away your context. But gaining access to the elements inside the body of the current document would not. Once you navigate, you can try to inject HTML into the document by getting the body element and doing an innerHTML call on that.

    browser.Document.Body.InnerHtml seems to be the .NET syntax you'd want.

    Is this a common scenario? Well, yes and no. By adopting about:blank, you automatically get placed into the Internet zone in most cases (there are some exceptions). Controls want this to occur because they get more protection from the web in this mode which is why the .NET WebBrowser control behaves the way it does. Secure by default is our end goal in almost all cases.

    Note, if you don't care about the dynamic scenario, you can always write to disk as well. I always put this out there just in case the application at hand warrants the approach. If you truly want dynamic page generation though, I think doing what you've done above, grabbing the body and injecting content will solve your problem.

    Monday, October 23, 2006 12:41 AM
  • John

    I am not sure whether this is relevant.

    But I faced exactly the same problem you had described, and my problem was fixed after I added the about:blank to the trusted sites in IE7. Well this is not the best of the solutions but it solves the problem. I am working on devising an alternative solution for this.  Thanks,
    Monday, October 30, 2006 3:20 PM
  • It works for me too, Prabs, thanks a lot! But the problem now is I get all the time a security warning asking me if I allow the current Web page to open a site in my Trusted sites list which is, of course, about:blank
    Monday, October 30, 2006 4:04 PM
  • Since going to IE-7 I encounter this message when I open some but not all of the logs in my Norton Internet Security suite.  The problem with allowing all communication with URL about:blank is that about:blank is an infamous purveyor of malware.  They are notorious especially but far from exclusively for homepage hijack exploits.  They have numerous publications that include downloaders, Trojans, web trackers, etc.  Questions: Why are we seeing this message? How is it related to adopting IE-7? How do we fix it without allowing bad guys free access? I can tell you that Norton Antivirus does not detect a problem, nor do eTrust Pest Patrol, Ad-aware, or SpySweeper.
    Saturday, November 4, 2006 7:04 PM
  • One way I fixed that error - about:blank

    1.right click on the desktop - select properties

    2. chose the desktop tab

    3. click on the button customise desktop

    4 select the web tab

    5. click on the properties button

    6. stay under the default settings -

    7. web documents tab -then uncheck make this page available offline apply and ok

    8. Then close out of all windows you have open

    You will find that you are having no more problems with this any more

    . PS. Hope this helps everyone thats still having problem!

    Saturday, November 18, 2006 2:04 AM
  • Sorry, not in my case
    Saturday, November 18, 2006 3:30 AM
  • I did a clean reinstall of everything and now is working  Twilight Zone...
    Monday, November 27, 2006 9:21 PM
  • I am still faced with the problem that I can not use the Windows Live OneCare safety scanner.  How did you add the about:blank to the trusted sites in IE7?
    Tuesday, December 5, 2006 3:56 AM
  • Hi,

    Getting the same error but in a slightly different manner, it is happening for me when I try to set the browser URL to that of an Authorware .AAM file:


    It works fine if I use IE7 with "myserver" in the list of IE's trusted sites but doesn't work in an application using the WebBrowser control.

    The registry modifications suggested by Justin Rodgers does work, but is an unacceptable solution to my situation as the application with the WebBrowser control is already deployed to thousands of machines.

    I'm really trying to find a solution that can be implemented on the server side.


    Monday, December 11, 2006 10:04 PM
  • Control Panel => Internet Options => Security tab => select "Trusted sites" => click on "Sites" button => Trusted sites window => "Add this website to the zone:" - write "about:blank" => click on "Add" button => click on "Close" button => click "OK" in Internet Properties window.

    But, like I said, after a clean installation of Windows, I uninstalled IE6 from "Add/Remove Windows Components" and I installed IE7 and everything worked fine, I did not need this "solution" anymore.

    Monday, December 18, 2006 6:18 AM
  • Control Panel => Internet Options => Security tab => select "Trusted sites" => click on "Sites" button => Trusted sites window => "Add this website to the zone:" - write "about:blank" => click on "Add" button => click on "Close" button => click "OK" in Internet Properties window.

    But, like I said, after a clean installation of Windows, I uninstalled IE6 from "Add/Remove Windows Components" and I installed IE7 and everything worked fine, I did not need this "solution" anymore, neither making My Home Page unavailable offline.

    Monday, December 18, 2006 6:28 AM
  • After digging for two days, I think I found the reason. When your code calls write(), IE implicitly opens a new document (calls open() implicitly), even when open() is called just before. For script object of IE, it can initialize the URL of the new document with the file it resides. But for COM call, no context exists, then IE will still initialize the new doc with "about:blank". So, write() operation will create a doc in "about:blank" instead of in the page before write() is called. Together with the LMZ_SCRIPT restriction, loading external JS file will fail.

    One solution is the registry change mentioned by Justin previously, by allowing LMZ_SCRIPT for certain applications.

    I also found a registryless workaround. You can use a dummy HTML file with a helper javascript function in it, and navigate to this file first. When your application wants to write HTML containing script, call document.write() through the helper JS function. Then the call is made under correct context. This is a reasonable trick that we are making use of the context of <script>.

    <script language="javascript">
    function WriteHelper(str)
    In C++ Code:
    // Get IHTMLWindow2 from IHTMLDocument2, say, pWin
    // Use pWin->GetIDsOfNames() to get "WriteHelper" method of pWin
    // Use pWin->Invoke() to invoke the javascript function, providing the string as parameter

    I tried this way to write "<script src='jscript1.js'></script>" and it works, as long as JS file is in the same domain of the helper HTML. By this way you don't have to change the registry.

    Wednesday, January 10, 2007 3:17 PM
  • Thanks for this tip (I wouldn't have thought of that !)

    Next problem is calling IDispatch::Invoke() from C# (most development is .NET nowdays).

    I got as far as getting an IDispatch from IHTMLWindow2, courtesy of interop but GetIDsOfNames() keeps failing .

    Do you know of some working C# (or VB.NET) code for calling IDispatch ?
    Thursday, January 11, 2007 9:23 AM
  • Well, never could get GetIDsOfNames() to return anything useful so I tried a more mundane trick, generating a temporary HTML (I initially wanted to avoid relying on the filesystem) file and loading it : it worked.

    The temp file contains the needed <script> elements, this time, and I get no complains about "uncorrect character line 1", everything hunky dory.

    Hope it helps someone :)
    Thursday, January 11, 2007 7:44 PM
  • Had the exact same problem.  The solution I went with was to load a blank html file on startup, and do all further updates by modifying the page using the DOM, rather than replacing it via DocumentText.  That included creating the link to the external javascript file using the DOM, as shown below:

        HtmlElement newElement = webBrowser1.Document.CreateElement("script");
        newElement.SetAttribute("type", "text/javascript");
        newElement.SetAttribute("src", "file://C:/junk/junk.js");
        HtmlElement head = webBrowser1.Document.GetElementsByTagName("head")[0];
    Monday, January 22, 2007 10:43 PM
  • While activating action key to scan on Window Live one care the following error appeared:-

    Internet Explorer script error

    An error occured the script on this page

    Line: 90
    Error: Obect expected
    Code: 0
    URL: about:blank


    And then it asks do you want to continue ??


    On each action Yes or No there is no function


    Appriciate if any cure for this is send to me on my mail id :


    Wednesday, August 15, 2007 4:48 AM
  • Thank u so much. I've had this issue since Christmas when my hubby got his new mp3 player and has been downloading songs. Your solution so helped.

    Saturday, December 29, 2007 3:28 PM
  • thank you, Berriman! that helped! i'm not getting any messages anymore!
    Wednesday, July 28, 2010 4:41 PM
  • Hello,


    Considering that many developers in this forum ask how to manipulate WebBrowser component (suppressing error messages), my team has created a code sample for this frequently asked programming task in Microsoft All-In-One Code Framework. You can download the code samples at:








    With these code samples, we hope to reduce developers’ efforts in solving the frequently asked

    programming tasks. If you have any feedback or suggestions for the code samples, please email us:


    The Microsoft All-In-One Code Framework ( is a free, centralized code sample library driven by developers' needs. Our goal is to provide typical code samples for all Microsoft development technologies, and reduce developers' efforts in solving typical programming tasks.

    Our team listens to developers’ pains in MSDN forums, social media and various developer communities. We write code samples based on developers’ frequently asked programming tasks, and allow developers to download them with a short code sample publishing cycle. Additionally, our team offers a free code sample request service. This service is a proactive way for our developer community to obtain code samples for certain programming tasks directly from Microsoft.


    Microsoft All-In-One Code Framework



    Friday, March 25, 2011 3:25 AM