IResourceLoadingCallback does not work when saving as PDF which is a SSRF issue for us


On a webserver we are converting html that is uploaded by users to Word or PDF. We don’t want to load all resources because then a hacker could upload a html file with the path of an image on the webserver and it will be included in the export.

For Word export we fixed this by implementing the IResourceLoadingCallback and this works perfectly. However when we use the same code and save as PDF this doesn’t work.

The only difference in the code is that for Word we have this as the last line:
document.Save(dstStream, SaveFormat.Docx);

And for PDF this:
document.Save(dstStream, SaveFormat.Pdf);

The IResourceLoadingCallback is called in both occasions but it seems the response ResourceLoadingAction.Skip is ignored for PDF and not for Docx.



Thanks for your inquiry. To ensure a timely and accurate response, please attach the following resources here for testing:

  • Your input Word document.
  • Please attach the output PDF file that shows the undesired behavior.
  • Please create a standalone console application (source code without compilation errors) that helps us to reproduce your problem on our end and attach it here for testing.

As soon as you get these pieces of information ready, we’ll start investigation into your issue and provide you more information. Thanks for your cooperation.

PS: To attach these resources, please zip and upload them.


I’m sorry but I’m unable to reproduce the issue anymore.
Thanks for the assistance and case closed!