Thursday, June 2, 2016

Custom URL protocol - Registering the Application Handling the Custom URI Scheme

Custom URL protocol - Registering the Application Handling the Custom URI Scheme

Here's how it works:

1. User clicks "Print" on the website.

2. Website links user to "CustomURL://Print/{ID}

3. Application is launched by windows via the custom uri scheme.

4. Application communicates with the pre-configured server to confirm the print request and in my case get the actual print command.

5. The application then uses the C# RawPrinterHelper class to send commands directly to the printer.

To handle the alert scheme:

<a href="alert:test1 test2">test</a>


      (Default) = "URL:Alert Protocol"
      URL Protocol = ""
         (Default) = "alert.exe,1"
               (Default) = "C:\Program Files\Alert\alert.exe" "%1"

Alert.reg example:

Windows Registry Editor Version 5.00

"URL Protocol"="\"\""
@="\"URL:Alert Protocol\""




@="\"C:\\Program Files\\Alert\\alert.exe\" \"%1\""


using System;
using System.Collections.Generic;
using System.Text;

namespace Alert
  class Program
    static string ProcessInput(string s)
       // TODO Verify and validate the input 
       // string as appropriate for your application.
       return s;

    static void Main(string[] args)
      Console.WriteLine("Alert.exe invoked with the following parameters.\r\n");
      Console.WriteLine("Raw command-line: \n\t" + Environment.CommandLine);

      foreach (string s in args)
        Console.WriteLine("\t" + ProcessInput(s));
      Console.WriteLine("\nPress any key to continue...");


cmd> "C:\Program Files\Alert\alert.exe" "alert:Hello World"

To reset the external protocol handler setting in Chrome:

Edit "Local State" this file:

C:\Users\Username\AppData\Local\Google\Chrome\User Data\Local State


%USERPROFILE%\AppData\Local\Google\Chrome\User Data\

Search for: protocol_handler

Security Issues

As noted above, the string that is passed to a pluggable protocol handler might be broken across multiple parameters. Malicious parties could use additional quote or backslash characters to pass additional command line parameters. For this reason, pluggable protocol handlers should assume that any parameters on the command line could come from malicious parties, and carefully validate them. Applications that could initiate dangerous actions based on external data must first confirm those actions with the user. In addition, handling applications should be tested with URIs that are overly long or contain unexpected (or undesirable) character sequences.
For more information, please see Writing Secure Code.


No comments: