Hello
We have recently had a penetration testing team test our application and they pointed out the fact that our clients can upload Word templates with potentially malicious content in the merge fields.
Is there any functionality in Aspose.Words to disable certain types of merge fields from executing? Tags like INCLUDETEXT etc can expose files on the server to attacks.
It may not be Aspose’s responsibility to provide some sort of security framework around this, but in case you do have something then I would like to learn about where I can find documentation for that. If you don’t then it wouldn’t be a bad little addition to your product.
Regards
Rob
@RobertEliasson You can find such field and unlink them, i.e. replace with their actual displayed content. For example see the following code:
Document doc = new Document(@"C:\Temp\in.docx");
doc.Range.Fields.Where(f => f.Type == FieldType.FieldIncludeText).ToList()
.ForEach(f => f.Unlink());
doc.Save(@"C:\Temp\out.docx");
If it is required to disable updating such fields using Aspose.Words, you can lock them:
Document doc = new Document(@"C:\Temp\in.docx");
doc.Range.Fields.Where(f => f.Type == FieldType.FieldIncludeText).ToList()
.ForEach(f => f.IsLocked = true);
doc.Save(@"C:\Temp\out.docx");
In this case the locked fields will not be updated by Aspose.Words upon calling Document.UpdateFields method.