A Note about the DHTML Editing Control in IE7+

Hi, I’m B. Ashok, the Product Unit Manager for Web Development Tools – we have our own team blog (https://blogs.msdn.com/webdevtools), but I wanted to post over here to discuss a change my team has made which has an effect on users of IE7+ in Windows Vista. Specifically, we are removing the DHTML Editing Control from the Windows Vista product.

The DHTML Editing Control shipped in Windows XP and Windows 2003 Server, in a file called dhtmled.ocx. This file contained two flavors of the control:

1. DHTML Editing Control (Safe for Scripting). This version of the control is marked safe to script, and can be used to provide visual editing of HTML content when browsing a web site in the Internet Explorer browser. The component GUID for this flavor of the control is: 2D360201-FFF5-11d1-8D03-00A0C959BC0A.

2. DHTML Editing Control (For Applications). This version of the control is less restricted and is typically used inside a Windows application to provide visual editing of HTML content. An example would be a C++ or Visual Basic application which hosts this component to provide visual HTML editing. The component GUID for this flavor of the control is: 2D360200-FFF5-11d1-8D03-00A0C959BC0A

In Windows Vista, we have decided to remove both flavors of this control from the operating system to reduce surface area for security attacks. In the past, this control was used as an attack vector that allowed cross site scripting (for which it had to be patched). After doing an analysis of real-world usage of the control, we have decided the best option is to remove the two flavors on the control from Windows Vista in order to make IE7+ more secure. In the near future, we will also killbit the Safe for Scripting control in IE7 in Windows XP so that it will not get instantiated from the browser.

We wanted to mention this now to give anyone who may be relying on either flavor of this control enough time to make any necessary changes prior to the final release of Windows Vista. Overall we believe usage of the control in the real world is fairly limited, however you could be impacted in one of three general ways:

1. You are using Outlook Web Access (OWA) from IE7+ on Windows Vista, and are accessing an Exchange 2000 or Exchange 2003 server which doesn’t have all the latest updates. If your Exchange server has the latest critical updates, then Outlook Web Access no longer relies on the DHTML Editing Control, and you will not encounter any issues accessing OWA from Windows Vista. However, if your Exchange server isn’t updated with the latest updates, you may not be able to compose new emails in Outlook Web Access from within IE7+ in Windows Vista Beta 2. To solve this problem, you should ask your Exchange admin to install the critical update https://support.microsoft.com/kb/911829 - this update removes OWA dependencies on the DHTML Editing Control. Once the Exchange server is patched with this update, composing emails in OWA will work fine from Windows Vista clients.

2. You are using a web site which relies on the Safe for Scripting version of the DHTML Editing Control from IE7+ on Windows Vista. In doing a web crawl search of Internet web sites, we found almost no Internet web sites using the DHTML Editing Control. However, we were unable to search web sites on Intranets, so it is possible that Intranet web sites (e.g. internal corporate web sites) may be using the DHTML Editing Control. If that is the case, the recommendation is to have those applications switch to another similar technology which utilizes the built-in editing available in Internet Explorer 6 and higher. There are several such components - https://freetextbox.com/default.aspx is one good example of one.

3. The last scenario where you might be impacted is if you are using a Windows application that relies on the DHTML Editing Control For Applications. By the RC1 release of Windows Vista, my team will be providing a separate install of the DHTML Editing Control For Applications, which can be installed on Windows Vista and will provide compatibility for Windows applications that may rely on this control. This install will only include the “For Applications” flavor of the control and will not include the “Safe for Scripting” flavor of the control. In doing so, we keep IE7+ in Windows Vista secure from potential security risks since the “For Applications” flavor of the control cannot be loaded in the browser.

Prior to the RC1 release of Windows Vista, we will also publish a whitepaper which goes into more detail regarding the removal of the control from Windows Vista, and explains how one can implement some of the changes suggested above.

To summarize, we are making these changes because we feel the overall benefit of increasing security significantly outweighs the benefits of leaving the DHTML Editing Control in Windows Vista. I encourage folks to ask questions and provide feedback so we can help anyone that may need more information about these changes. You can write to me directly at bash-at-microsoft.com if you have any questions or feedback on this change.

Thanks,
-- Bash

Comments

• Anonymous
  June 27, 2006
  The comment has been removed

• Anonymous
  June 27, 2006
  Good move on behalf of increasing security in IE7.

• Anonymous
  June 27, 2006
  Bash please confirm that contenteditable=true is not impacted by this change.

• Anonymous
  June 27, 2006
  contenteditable=true is not affected by this change and will continue to work as before.
  
  -- Bash

• Anonymous
  June 27, 2006
  What?
  
  Why remove it from the OS totally and therefore make it unavailable to those third-party apps using WebBrowser? If you want to killbit the control in IE7 that's your choice, but I'm not sure why the decision was made to yank it out entirely. Unless there's a big scary bug that makes it dangerous?

• Anonymous
  June 27, 2006
  If you have a 3rd party webbrowser app that is using the control, we can work with you on that.  Please email me directly regarding this.

• Anonymous
  June 27, 2006
  great, a new reason to switch to firefox

• Anonymous
  June 27, 2006
  The comment has been removed

• Anonymous
  June 27, 2006
  Does someone have a link to an example site which is using this control?

• Anonymous
  June 27, 2006
  Our Corporate Intranet uses this control.
  Please note: You can't find intranet sites by and simple website crawl search and most of these sites are password protected.
  
  An example is:  http://www.contens.de/ww/en/pub/products/enterprise.htm
  
  Please: don't remove this control. Make it safe ;-)
  
  Matthias

• Anonymous
  June 27, 2006
  Matthias: Now is the time to make your Corporate Intranet cross-browser safe.

• Anonymous
  June 28, 2006
  Dave: What do you mean? The browser is part of the OS. They're so tightly coupled that there's no way to distinguish between them. To include the control in one is to include it in the other. It's the MS way!
  

• Anonymous
  June 28, 2006
  I just love this guy's email address. Bash (at) Microsoft dot com. Doesn't get better than that...

• Anonymous
  June 28, 2006
  I'm not quite sure about DHTML Editing Control, but what I'm pretty sure is, this announcement is a very honest and respectable move, making Microsoft an even more responsible software leader. I believe Bash was expecting for "some shots" here but perhaps to him, something is more important than the shots -- making Microsoft a responsible and transperant leader. Microsoft, a salute to you!

• Anonymous
  June 28, 2006
  Hey Antonio, need some chapstick there?

• Anonymous
  June 28, 2006
  i actually think this is a smart and positive move on microsoft's part. it's one of the few posts on this blog that actually makes sense to me :P

• Anonymous
  June 28, 2006
  What about showing glyphs, which is a very usefull feature of the DHTML Editing Control?? As far as I know that feature is not built in nativly in IE7. Another issue that I have experienced is that document.designMode  doesn't work in modal or modeless windows!! I work on a company that are developing a CMS wich takes advantage of both modal-windows and the DHTML Editing Control. Removing the control means a huge difference for us. The modal windows and the edit control was a strong argument for us to choose the IE-platform, now it seems the we can't use any of them. Thats bad...

• Anonymous
  June 28, 2006
  when can we test the contenteditable=true function under IE7+

• Anonymous
  June 28, 2006
  @ Erik Strandman
  
  This may help you to stay working with the Windows web browsing platform:
  
   http://www.zeepe.com/
  
  

• Anonymous
  June 28, 2006
  i would post this elsewhere but i clicked give feedback but it took me nowhere useful.  why did the IE icon get reverted to the old old old one?  why?  what was wrong with the current one?  if you're going to change it, please make it snappier and prettier, please~

• Anonymous
  June 28, 2006
  Hello Matthias,
  
  I would recommend looking at freetextbox - http://freetextbox.com/default.aspx which provides similar functionality but also has the added benefit of being cross-browser.
  
  My team will also be releasing a whitepaper on MSDN which explains how to wrap built-in IE editing capabilities to get the same kind of functionality without relying on the DHTML Editing Control.
  

• Anonymous
  June 28, 2006
  Hello Erik,
  
  Is your CMS applicaiton a Windows applicaiton or an browser based application?  In other words is the DHTML Editing Control loaded inside a browser page, or inside a windows application?
  
  

• Anonymous
  June 28, 2006
  The fact is that if very few sites were using the control, then it makes better business sense to remove it for security purposes than it does to keep it in to keep supporting a very small audience.
  
  Bravo, Microsoft!

• Anonymous
  June 28, 2006
  So we're still looking at august for beta 3?

• Anonymous
  June 28, 2006
  @Omar Khan
  
  I work for the same company as Erik and our product is a completely browser based-product. And as he said, since it isn't working with .designMode in modal or modeless windows this will make a huge change for us.

• Anonymous
  June 28, 2006
  @Adam: Microsoft hasn't formally announced a release date for Beta-3.  We're eager to get it to everyone as soon as it's ready-- Stay tuned to the IE blog for the latest news.  

• Anonymous
  June 28, 2006
  I am not a fan of Firefox in the least, but the comment "The fact is that if very few sites were using the control" may be a result of the fact that the other browser doesn't support it and many have moved to cross-browser tools such as fckeditor (www.fckeditor.net) or the previously mentioned FreeTextBox.  I had 8 sites that I transitioned to FCKEditor to support Firefox and OS-X.
  
  Hats of to Microsoft on IE 7

• Anonymous
  June 28, 2006
  @Karl-Johan: If you're not directly hosting the DHTML ActiveX control, you should be fine.
  
  For instance, the page http://msdn.microsoft.com/archive/en-us/samples/internet/ie55/editregions/editregions.htm still works just fine in Vista.  

• Anonymous
  June 28, 2006
  Concerning the reset button:
  http://blogs.msdn.com/ie/archive/2006/06/12/628499.aspx#comments
  
  why not just have a safe mode like mozilla/firefox?

• Anonymous
  June 28, 2006
  The webdevtools team has historically owned a control that shipped with IE5.5 and above.  This control...

• Anonymous
  June 28, 2006
  The comment has been removed

• Anonymous
  June 28, 2006
  We're using DHTML control to give our users the possibility to save data to their local disks. Do you have any proposals how to do this in IE7+ ?
  
  document.all.DHTMLEdit.DOM.body.innerHTML = sMyHTMLToSave;
  doccument.all.DHTMLEdit.SaveDocument('',true);
  

• Anonymous
  June 28, 2006
  Karl / Erik,
  
  Can you send me email directly at omark-at-microsoft-dot-com and i'll see if we can help in getting you information on how to achieve the same results, but without using the control.
  

• Anonymous
  June 28, 2006
  When can we expect beta 3 to arrive?
  
  will my application like MCE 2005 and MSN Explorer 9.2 break if i Install IE 7.0
  
  

• Anonymous
  June 28, 2006
  @m1t0s1s: "why not just have a safe mode"
  
  You can run IE without addons by right-clicking the desktop shortcut or using a link in the System Tools folder.  However, this doesn't reset everything-- it just runs without addons (a primary source of problems)
  
  @Jazper: Stay tuned to the IEBlog for news on Beta-3.  I use MCE2005+IE7 without problems.

• Anonymous
  June 28, 2006
  My application rely on the dhtml control. How about migration? Will I have to change the content editor control to a third party control?
  
  Please let me know.
  http://imhoproject.org

• Anonymous
  June 28, 2006
  why not use mshtml instead?
  
  i have blogged about the explorer control in 2.0
  http://weblogs.asp.net/hpreishuber/archive/2005/07/13/419281.aspx

• Anonymous
  June 29, 2006
  > We're using DHTML control to give our users the possibility to save data to their local disks. Do you have any proposals how to do this in IE7+ ?
  
  There's the Storage interface introduced by the WHATWG: http://www.whatwg.org/specs/web-apps/current-work/#scs-client-side
  As far as I know, the first browser to implement this is Firefox 2.

• Anonymous
  June 29, 2006
  This is great news, the last thing Microsoft needs is to have a bunch of exploits at launch time. Some people will never be happy!

• Anonymous
  June 29, 2006
    I don't know much about the IE7 so this question may be totally irrelevant. Can we develop IE7 or IE7+ add-ins, etc. using WinFX (managed code)?
  

• Anonymous
  June 29, 2006
  SECURITY WARNING TO MICROSOFT:
  
  The "thankyou.aspx" URL sent by jace allows users to bypass WGA check. Good luck.

• Anonymous
  June 29, 2006
  @EricLaw: thanks!

• Anonymous
  June 29, 2006
  A bit clueless but does this have an impact on web based wysiwygs such as TinyMCE and FCK ? ? I thought this was control IE used for these apps or has there since been a different control embedded into IE ? ?

• Anonymous
  June 29, 2006
  http://www.microsoft.com/downloads/details.aspx?familyid=4C1A8FBE-FB6A-47AC-867D-BB1F17E477EE&displaylang=en

• Anonymous
  June 29, 2006
  @GK: I haven't used WinFX, but it's pretty straightforward to create Addons using .NET 2.0.  .NET enables you to expose your .NET object as a COM object, which means that you can use .NET in IE.

• Anonymous
  June 29, 2006
  Is there a IE7+ beta 3 or is there only a IE7 beta 3??

• Anonymous
  June 29, 2006
  Here is a screenshot of the forthcoming FreeTextBox4. We'll have a preview release next week.
  
  
  ...

• Anonymous
  June 29, 2006
  The comment has been removed

• Anonymous
  June 29, 2006
  How does are the DHTML control and MSHTML related?  We're planning to use MSHTML in an upcoming app (hosted in a .NET Form).

• Anonymous
  June 29, 2006
  I believe that the DHTML control is a wrapper around MSHTML.

• Anonymous
  June 29, 2006
  adam said: "So we're still looking at august for beta 3?"
  
  Hehe, bet you're feeling kinda silly now eh?
  
  Who was ever looking at August?

• Anonymous
  July 01, 2006
  I need to load a CString into a DHTML ActiveX control for IE 5.
  
  If the CString is less than 600,000 chars then u can directly use put_DocumentHTML function.
  
  But if the CString is more than 600000 chars or so, then the only solution is to use LoadDocument or the LoadURL functions that can read the file from the hard drive. The problem is that the process of writing to the hard drive and reading back slows down things.
  
  anybody knows wuts wrong with put_DocumentHTML function ???????
  

• Anonymous
  July 04, 2006
  same =)

• Anonymous
  July 10, 2006
  The comment has been removed

• Anonymous
  July 11, 2006
  The comment has been removed

• Anonymous
  July 11, 2006
  Here is a screenshot of the forthcoming FreeTextBox4. We'll have a preview release next week.
  
  
  ...

• Anonymous
  August 24, 2006
  As you may have heard by now, the DHTML Editing Control is not shipping as a part of the Windows Vista...

• Anonymous
  September 25, 2006
  PingBack from http://www.casperize.com/2006/09/25/post2blog-200-rc/

• Anonymous
  October 07, 2006
  Ever wonder why Microsoft Outlook Web Access (OWA) has problem displaying message composer for composing

• Anonymous
  October 07, 2006
  Ever wonder why Microsoft Outlook Web Access (OWA) has problem displaying message composer for composing

• Anonymous
  October 16, 2006
  When copy/pasting from MS Word, the HTML it generates is really messy and can't be used verbatim. This

• Anonymous
  March 14, 2007
  Hi, I’m B. Ashok, the Product Unit Manager for Web Development Tools . As mentioned in my earlier post

• Anonymous
  March 14, 2007
  PingBack from http://thisoldcode.microfisch.com/PermaLink,guid,3afa2394-39eb-4bc1-b8cc-b2a45738ec27.aspx

• Anonymous
  April 01, 2007
  The comment has been removed

• Anonymous
  October 12, 2007
  PingBack from http://www.mt-soft.com.ar/2007/10/12/freetextbox4-and-ie7-mention/

• Anonymous
  March 10, 2008
  Du bruker Windows Vista og får en feilmelding I Windows Vista når du forsøker å redigere e-post o Outlook Web Access. Problemet kommer for eksempel når du forsøker å svare på en e-post i OWA. ...

• Anonymous
  March 10, 2008
  Du bruker Windows Vista og får en feilmelding I Windows Vista når du forsøker å redigere e-post o Outlook Web Access. Problemet kommer for eksempel når du forsøker å svare på en e-post i OWA. ...

• Anonymous
  April 03, 2008
  Last year, we made a post to the IE team blog about the removal of the DHTML Editing Control from the

• Anonymous
  April 04, 2008
  PingBack from http://david.newssiteworld.com/dhtmlissueswithvistaie7.html

• Anonymous
  January 17, 2009
  PingBack from http://www.hilpers.it/2771723-activex-microsoft-r-dynamic-html

• Anonymous
  May 29, 2009
  PingBack from http://paidsurveyshub.info/story.php?title=ieblog-a-note-about-the-dhtml-editing-control-in-ie7

• Anonymous
  June 08, 2009
  PingBack from http://cellulitecreamsite.info/story.php?id=4205