# HTML Application

> Mediated Wiki article. Canonical URL: https://mediated.wiki/source/HTML_Application
> Markdown URL: https://mediated.wiki/source/HTML_Application.md
> Source: https://en.wikipedia.org/wiki/HTML_Application
> Source revision: 1344815557
> License: Creative Commons Attribution-ShareAlike 4.0 International (https://creativecommons.org/licenses/by-sa/4.0/)

Microsoft Windows program

This article is about Microsoft's proprietary HTA implementation. For information regarding the HTML5 Cache Manifest, also referred to as offline HTML applications, see [Cache manifest in HTML5](/source/Cache_manifest_in_HTML5).

HTML Application (HTA) Filename extension .hta Internet media type application/hta Magic number %hta Developed by Microsoft Website learn.microsoft.com/en-us/previous-versions/ms536471(v=vs.85)?redirectedfrom=MSDN

An **HTML Application** (**HTA**) is a [Microsoft Windows](/source/Microsoft_Windows) program whose source code consists of [HTML](/source/HTML), [Dynamic HTML](/source/Dynamic_HTML), and one or more scripting languages supported by [Internet Explorer](/source/Internet_Explorer), such as [VBScript](/source/VBScript) or [JScript](/source/JScript). HTML is used to generate the user interface, and the scripting language is used for the program logic. An HTA executes without the constraints of the web browser security model; in fact, it executes as a "fully trusted" application.

The usual file extension of an HTA is .hta.

The ability to execute HTAs was introduced to Microsoft Windows in 1999, along with the release of [Microsoft Internet Explorer 5](/source/Microsoft_Internet_Explorer_5).[1] On December 9, 2003, this technology was [patented](/source/Patent).[2][3]

## Uses

HTAs give the developer the features of HTML together with the advantages of scripting languages. They are popular with Microsoft system administrators who use them for system administration from prototypes to "full-scale" applications, especially where flexibility and speed of development are critical.[4]

## Environment

### Execution

One screenshot of one example window that is produced by mshta.exe

An HTA is executed using the program mshta.exe, or, alternatively, double-clicking on the file. This program is typically installed along with Internet Explorer. mshta.exe executes the HTA by instantiating the Internet Explorer rendering engine (mshtml) as well as any required language engines (such as vbscript.dll).

An HTA is treated like any executable file with extension [.exe](/source/EXE). When executed via mshta.exe (or if the file icon is double-clicked), it runs immediately. When executed remotely via the browser, the user is asked once, before the HTA is downloaded, whether or not to save or run the application; if saved, it can simply be run on demand after that.[4]

By default, HTAs are rendered as per "standards-mode content in IE7 Standards mode and quirks mode content in IE5 (Quirks) mode", but this can be altered using X-UA-Compatible headers.[4]

HTAs are dependent on the Trident (MSHTML) browser engine, used by [Internet Explorer](/source/Internet_Explorer), but are not dependent on the Internet Explorer application itself. If a user [removes Internet Explorer](/source/Removal_of_Internet_Explorer) from Windows, via the Control Panel, the MSHTML engine remains and HTAs continue to work. HTAs continue to work in Windows 11 as well.

HTAs are fully supported running in modes equivalent to Internet Explorer versions 5 to 9. Further versions, such as 10 and 11, still support HTAs though with some minor features turned off.[*[citation needed](https://en.wikipedia.org/wiki/Wikipedia:Citation_needed)*]

### Security considerations

Main article: [Browser security](/source/Browser_security)

When a regular HTML file is executed, the execution is confined to the security model of the [web browser](/source/Web_browser). This means it is confined to communicating with the server, manipulating the page's [object model](/source/Object_model) (usually to validate forms and/or create interesting visual effects) and reading or writing [cookies](/source/HTTP_cookie).

On the other hand, an HTA runs as a fully trusted application and therefore has more privileges than a normal HTML file; for example, an HTA can create, edit and remove files and [registry](/source/Windows_Registry) entries. Although HTAs run in this 'trusted' environment, querying [Active Directory](/source/Active_Directory) can be subject to Internet Explorer Zone logic and associated error messages.

## Development

To customize the appearance of an HTA, an optional tag hta:application was introduced to the HEAD section. This tag exposes a set of attributes that enable control of border style, the program icon, etc., and provide information such as the argument (command line) used to launch the HTA.[5] Otherwise, an HTA has the same format as an HTML page.

Any text editor can be used to create an HTA. Editors with special features for developing HTML applications may be obtained from Microsoft[6] or from third-party sources.[7]

An existing HTML file (with file extension .htm or .html, for example) can be changed to an HTA by simply changing the extension to .hta.

## Vulnerabilities

HTA files have been used to deliver malware.[8][9] One particular HTA, named *[4chan](/source/4chan).hta* (detected by antiviruses as JS/Chafpin.gen), was widely distributed by users of the 4chan imageboard as a [steganographic](/source/Steganographic) image in which the user was instructed to download this image as an HTA file, which when executed, would cause the computer to automatically spam the website (evading 4chan's [CAPTCHA](/source/CAPTCHA) in the process) with alternate variants of itself. It was reported that such attacks were previously delivered in which the user was prompted to save it as a [.js](/source/JavaScript) file.[10]

## Example

This is an example of [Hello World](/source/%22Hello%2C_World!%22_program) as an HTML Application.

<HTML>
<HEAD>
<HTA:APPLICATION ID="HelloExample"
   BORDER="bold"
   BORDERSTYLE="complex"/>
<TITLE>HTA - Hello World</TITLE>
</HEAD>
<BODY>
<H2>HTA - Hello World</H2>
</BODY>
</HTML>

## See also

- [Adobe AIR](/source/Adobe_AIR)

- [Active Scripting](/source/Active_Scripting)

- [Apache Cordova](/source/Apache_Cordova)

- [Chromium Embedded Framework](/source/Chromium_Embedded_Framework)

- [Electron (software framework)](/source/Electron_(software_framework))

- [Firefox OS](/source/Firefox_OS)

- [React Native](/source/React_Native)

- [XAML Browser Applications](/source/XAML_Browser_Applications) (XBAPs)

- [XUL](/source/XUL) and [XULRunner](/source/XULRunner) - a language and environment for Mozilla cross-platform applications that resembles the mechanism of HTML Applications.

- [Windows Script Host](/source/Windows_Script_Host)

## References

1. **[^](#cite_ref-1)** [*Article ID:200874 in Microsoft Support*](http://support.microsoft.com/kb/200874), in Microsoft Support Knowledge Base

1. **[^](#cite_ref-2)** [US6662341B1](https://patents.google.com/patent/US6662341B1/en?oq=PN/6,662,341), Cooper, Phillip R.; Kohnfelder, Loren M. & Chavez, Roderick A., "Method and apparatus for writing a windows application in HTML", issued 2003-12-09

1. **[^](#cite_ref-3)** Festa, Paul (2003-12-10). ["Microsoft wins HTML application patent"](https://web.archive.org/web/20160310170211/http://www.cnet.com/news/microsoft-wins-html-application-patent/). *[CNET](/source/CNET)*. Archived from [the original](https://www.cnet.com/news/microsoft-wins-html-application-patent/) on 2016-03-10. Retrieved 2016-01-10.

1. ^ [***a***](#cite_ref-msintro_4-0) [***b***](#cite_ref-msintro_4-1) [***c***](#cite_ref-msintro_4-2) ["Introduction to HTML Applications (HTAs)"](https://msdn.microsoft.com/en-us/library/ms536496%28v=vs.85%29.aspx#Compatibility). *Microsoft MSDN*. May 2011. Retrieved 24 June 2016. Sections include Why Use HTAs, Creating an HTA, HTA-Specific Functionality, Security, Compatibility, Deployment

1. **[^](#cite_ref-5)** [*HTA:APPLICATION Object*](https://msdn.microsoft.com/en-us/library/aa360681(v=VS.85).aspx), in MSDN Library, the complete specification of the tag hta:application

1. **[^](#cite_ref-6)** [*HTA Helpomatic*](http://www.microsoft.com/downloads/details.aspx?FamilyId=231D8143-F21B-4707-B583-AE7B9152E6D9&displaylang=en)

1. **[^](#cite_ref-7)** [*HTAEdit, an editor for HTAs with a built-in debugger*](http://www.htaedit.com/)

1. **[^](#cite_ref-8)** ["Spora Ransomware Dropper Uses HTA to Infect System"](https://www.vmray.com/cyber-security-blog/spora-ransomware-dropper-hta-infect-system/). *VMRay*. 2017-01-17. Retrieved 2018-12-22.

1. **[^](#cite_ref-9)** ["8 Scariest Ransomware Viruses"](https://blog.netwrix.com/2017/06/01/nine-scariest-ransomware-viruses/). Retrieved 2018-12-22.

1. **[^](#cite_ref-10)** Constantin, Lucian (2010-08-10). ["4chan Flood Script Is Back with New Social Engineering Trick"](https://news.softpedia.com/news/4chan-Flood-Script-Is-Back-with-New-Social-Engineering-Trick-151603.shtml). *Softpedia*. Retrieved 2021-11-09.

## External links

- [HTML Component (HTC) Reference at MSDN](http://msdn2.microsoft.com/en-us/library/ms531018.aspx). An HTC encapsulates specific functionality or behavior within HTAs.

- [The Script Center](https://technet.microsoft.com/en-ca/scriptcenter/default.aspx), The Script Center, home of Hey, Scripting Guy! Blog

- [Learn About Scripting for HTML Applications (HTAs)](https://technet.microsoft.com/en-ca/scriptcenter/dd742317.aspx), a tutorial site for learning about HTA's

v t e Internet Explorer Versions Main 1 2 3 4 5 6 7 8 9 10 11 Other Mobile for Mac for UNIX IEs4Linux Overview History Add-ons Box model Browser Helper Object (BHO) Extensions Removal Shells Technologies Accelerator ActiveX HTML HTA HTML Components favicon.ico HTML+TIME Index.dat JScript MHTML MSXML Smart tags Temporary Internet Files Vector Markup Language Web Slice WPAD XHR/XDomainRequest Software and engines Administration Kit Developer Tools Integrated Windows Authentication Tasman MSHTML Chakra Implementations Active Channel Active Desktop ActiveMovie Channel Definition Format (.cdf) Comic Chat/Chat 2.0 DirectX Media Internet Mail and News Microsoft Java Virtual Machine (MSJVM) MSN Explorer MSN for Mac OS X MSN Program Viewer NetMeeting NetShow Outlook Express Server Gated Cryptography (SGC) Spyglass Windows Address Book Windows Desktop Update Events First Browser War Second Browser War Download.ject Eolas v. Microsoft Sun v. Microsoft United States v. Microsoft Corp. People Tantek Çelik Thomas Reardon Dean Hachamovitch Scott Isaacs Inori Aizawa Category

---
Adapted from the Wikipedia article [HTML Application](https://en.wikipedia.org/wiki/HTML_Application) by Wikipedia contributors ([contributor history](https://en.wikipedia.org/wiki/HTML_Application?action=history)). Available under [Creative Commons Attribution-ShareAlike 4.0 International](https://creativecommons.org/licenses/by-sa/4.0/). Changes may have been made.