A Note about the DHTML Editing Control in IE7+


Hi, I’m B. Ashok, the Product Unit Manager for Web Development Tools – we have our own team blog (http://blogs.msdn.com/webdevtools), but I wanted to post over here to discuss a change my team has made which has an effect on users of IE7+ in Windows Vista. Specifically, we are removing the DHTML Editing Control from the Windows Vista product.

The DHTML Editing Control shipped in Windows XP and Windows 2003 Server, in a file called dhtmled.ocx. This file contained two flavors of the control:

  1. DHTML Editing Control (Safe for Scripting). This version of the control is marked safe to script, and can be used to provide visual editing of HTML content when browsing a web site in the Internet Explorer browser. The component GUID for this flavor of the control is: 2D360201-FFF5-11d1-8D03-00A0C959BC0A.
  2. DHTML Editing Control (For Applications). This version of the control is less restricted and is typically used inside a Windows application to provide visual editing of HTML content. An example would be a C++ or Visual Basic application which hosts this component to provide visual HTML editing. The component GUID for this flavor of the control is: 2D360200-FFF5-11d1-8D03-00A0C959BC0A

In Windows Vista, we have decided to remove both flavors of this control from the operating system to reduce surface area for security attacks. In the past, this control was used as an attack vector that allowed cross site scripting (for which it had to be patched). After doing an analysis of real-world usage of the control, we have decided the best option is to remove the two flavors on the control from Windows Vista in order to make IE7+ more secure. In the near future, we will also killbit the Safe for Scripting control in IE7 in Windows XP so that it will not get instantiated from the browser.

We wanted to mention this now to give anyone who may be relying on either flavor of this control enough time to make any necessary changes prior to the final release of Windows Vista. Overall we believe usage of the control in the real world is fairly limited, however you could be impacted in one of three general ways:

  1. You are using Outlook Web Access (OWA) from IE7+ on Windows Vista, and are accessing an Exchange 2000 or Exchange 2003 server which doesn’t have all the latest updates. If your Exchange server has the latest critical updates, then Outlook Web Access no longer relies on the DHTML Editing Control, and you will not encounter any issues accessing OWA from Windows Vista. However, if your Exchange server isn’t updated with the latest updates, you may not be able to compose new emails in Outlook Web Access from within IE7+ in Windows Vista Beta 2. To solve this problem, you should ask your Exchange admin to install the critical update http://support.microsoft.com/kb/911829 – this update removes OWA dependencies on the DHTML Editing Control. Once the Exchange server is patched with this update, composing emails in OWA will work fine from Windows Vista clients.
  2. You are using a web site which relies on the Safe for Scripting version of the DHTML Editing Control from IE7+ on Windows Vista. In doing a web crawl search of Internet web sites, we found almost no Internet web sites using the DHTML Editing Control. However, we were unable to search web sites on Intranets, so it is possible that Intranet web sites (e.g. internal corporate web sites) may be using the DHTML Editing Control. If that is the case, the recommendation is to have those applications switch to another similar technology which utilizes the built-in editing available in Internet Explorer 6 and higher. There are several such components – http://freetextbox.com/default.aspx is one good example of one.
  3. The last scenario where you might be impacted is if you are using a Windows application that relies on the DHTML Editing Control For Applications. By the RC1 release of Windows Vista, my team will be providing a separate install of the DHTML Editing Control For Applications, which can be installed on Windows Vista and will provide compatibility for Windows applications that may rely on this control. This install will only include the “For Applications” flavor of the control and will not include the “Safe for Scripting” flavor of the control. In doing so, we keep IE7+ in Windows Vista secure from potential security risks since the “For Applications” flavor of the control cannot be loaded in the browser.

Prior to the RC1 release of Windows Vista, we will also publish a whitepaper which goes into more detail regarding the removal of the control from Windows Vista, and explains how one can implement some of the changes suggested above.

To summarize, we are making these changes because we feel the overall benefit of increasing security significantly outweighs the benefits of leaving the DHTML Editing Control in Windows Vista. I encourage folks to ask questions and provide feedback so we can help anyone that may need more information about these changes. You can write to me directly at bash-at-microsoft.com if you have any questions or feedback on this change.

Thanks,
– Bash

Comments (72)

  1. neimad says:

    does this mean the contenteditable=true property will not work anymore?

    if so, then you have made my life hell.

  2. Cathode says:

    Good move on behalf of increasing security in IE7.

  3. Brian R. James says:

    Bash please confirm that contenteditable=true is not impacted by this change.

  4. Bash says:

    contenteditable=true is not affected by this change and will continue to work as before.

    – Bash

  5. Dave says:

    What?

    Why remove it from the OS totally and therefore make it unavailable to those third-party apps using WebBrowser? If you want to killbit the control in IE7 that’s your choice, but I’m not sure why the decision was made to yank it out entirely. Unless there’s a big scary bug that makes it dangerous?

  6. Bash says:

    If you have a 3rd party webbrowser app that is using the control, we can work with you on that.  Please email me directly regarding this.

  7. norberto says:

    great, a new reason to switch to firefox

  8. codemastr says:

    "great, a new reason to switch to firefox"

    Please explain how closing security holes in IE somehow gives you a reason to switch to firefox? Guess what? Firefox doesn’t have the DHTML control either! Whatever reason you think it’s bad for IE to get rid of it, switching to Firefox isn’t the answer.

    My God, if you Firefox fans are going to fill this blog with your stupid "I love Firefox, IE sucks" posts, at least make some sense!

  9. Jorrit says:

    Does someone have a link to an example site which is using this control?

  10. Matthias says:

    Our Corporate Intranet uses this control.

    Please note: You can’t find intranet sites by and simple website crawl search and most of these sites are password protected.

    An example is:  http://www.contens.de/ww/en/pub/products/enterprise.htm

    Please: don’t remove this control. Make it safe ;-)

    Matthias

  11. Dao says:

    Matthias: Now is the time to make your Corporate Intranet cross-browser safe.

  12. Adam says:

    Dave: What do you mean? The browser is part of the OS. They’re so tightly coupled that there’s no way to distinguish between them. To include the control in one is to include it in the other. It’s the MS way!

  13. Alex says:

    I just love this guy’s email address. Bash (at) Microsoft dot com. Doesn’t get better than that…

  14. Antonio says:

    I’m not quite sure about DHTML Editing Control, but what I’m pretty sure is, this announcement is a very honest and respectable move, making Microsoft an even more responsible software leader. I believe Bash was expecting for "some shots" here but perhaps to him, something is more important than the shots — making Microsoft a responsible and transperant leader. Microsoft, a salute to you!

  15. Phil says:

    Hey Antonio, need some chapstick there?

  16. nick botulism says:

    i actually think this is a smart and positive move on microsoft’s part. it’s one of the few posts on this blog that actually makes sense to me :P

  17. Erik Strandman says:

    What about showing glyphs, which is a very usefull feature of the DHTML Editing Control?? As far as I know that feature is not built in nativly in IE7. Another issue that I have experienced is that document.designMode  doesn’t work in modal or modeless windows!! I work on a company that are developing a CMS wich takes advantage of both modal-windows and the DHTML Editing Control. Removing the control means a huge difference for us. The modal windows and the edit control was a strong argument for us to choose the IE-platform, now it seems the we can’t use any of them. Thats bad…

  18. larry says:

    when can we test the contenteditable=true function under IE7+

  19. Jerry Mead says:

    @ Erik Strandman

    This may help you to stay working with the Windows web browsing platform:

     http://www.zeepe.com/

  20. jennifer says:

    i would post this elsewhere but i clicked give feedback but it took me nowhere useful.  why did the IE icon get reverted to the old old old one?  why?  what was wrong with the current one?  if you’re going to change it, please make it snappier and prettier, please~

  21. Omar Khan (omark-at-microsoft-dot-com) says:

    Hello Matthias,

    I would recommend looking at freetextbox – http://freetextbox.com/default.aspx which provides similar functionality but also has the added benefit of being cross-browser.

    My team will also be releasing a whitepaper on MSDN which explains how to wrap built-in IE editing capabilities to get the same kind of functionality without relying on the DHTML Editing Control.

  22. Omar Khan (omark-at-microsoft-dot-com) says:

    Hello Erik,

    Is your CMS applicaiton a Windows applicaiton or an browser based application?  In other words is the DHTML Editing Control loaded inside a browser page, or inside a windows application?

  23. Ed says:

    The fact is that if very few sites were using the control, then it makes better business sense to remove it for security purposes than it does to keep it in to keep supporting a very small audience.

    Bravo, Microsoft!

  24. adam says:

    So we’re still looking at august for beta 3?

  25. Karl-Johan Sjögren says:

    @Omar Khan

    I work for the same company as Erik and our product is a completely browser based-product. And as he said, since it isn’t working with .designMode in modal or modeless windows this will make a huge change for us.

  26. EricLaw [MSFT] says:

    @Adam: Microsoft hasn’t formally announced a release date for Beta-3.  We’re eager to get it to everyone as soon as it’s ready– Stay tuned to the IE blog for the latest news.  

  27. Steve Walker says:

    I am not a fan of Firefox in the least, but the comment "The fact is that if very few sites were using the control" may be a result of the fact that the other browser doesn’t support it and many have moved to cross-browser tools such as fckeditor (www.fckeditor.net) or the previously mentioned FreeTextBox.  I had 8 sites that I transitioned to FCKEditor to support Firefox and OS-X.

    Hats of to Microsoft on IE 7

  28. EricLaw [MSFT] says:

    @Karl-Johan: If you’re not directly hosting the DHTML ActiveX control, you should be fine.

    For instance, the page http://msdn.microsoft.com/archive/en-us/samples/internet/ie55/editregions/editregions.htm still works just fine in Vista.  

  29. m1t0s1s says:

    Concerning the reset button:

    http://blogs.msdn.com/ie/archive/2006/06/12/628499.aspx#comments

    why not just have a safe mode like mozilla/firefox?

  30. The webdevtools team has historically owned a control that shipped with IE5.5 and above.  This control…

  31. PL says:

    People that cant read shouldn’t be on the web.

    1. This is a SEPARATE ActiveX control that is being removed.

    2. IT HAS NOTHING to do with the contenteditable feature which is used by thousands of blogs, forums, contact forms, free email services….

    3. Learn to read properly.

    4. Learn to read properly.


  32. We’re using DHTML control to give our users the possibility to save data to their local disks. Do you have any proposals how to do this in IE7+ ?

    document.all.DHTMLEdit.DOM.body.innerHTML = sMyHTMLToSave;

    doccument.all.DHTMLEdit.SaveDocument(”,true);

  33. Omar Khan (omark-at-microsoft-dot-com) says:

    Karl / Erik,

    Can you send me email directly at omark-at-microsoft-dot-com and i’ll see if we can help in getting you information on how to achieve the same results, but without using the control.

  34. Jazper says:

    When can we expect beta 3 to arrive?

    will my application like MCE 2005 and MSN Explorer 9.2 break if i Install IE 7.0

  35. EricLaw [MSFT] says:

    @m1t0s1s: "why not just have a safe mode"

    You can run IE without addons by right-clicking the desktop shortcut or using a link in the System Tools folder.  However, this doesn’t reset everything– it just runs without addons (a primary source of problems)

    @Jazper: Stay tuned to the IEBlog for news on Beta-3.  I use MCE2005+IE7 without problems.

  36. My application rely on the dhtml control. How about migration? Will I have to change the content editor control to a third party control?

    Please let me know.

    http://imhoproject.org

  37. why not use mshtml instead?

    i have blogged about the explorer control in 2.0

    http://weblogs.asp.net/hpreishuber/archive/2005/07/13/419281.aspx

  38. Dao says:

    > We’re using DHTML control to give our users the possibility to save data to their local disks. Do you have any proposals how to do this in IE7+ ?

    There’s the Storage interface introduced by the WHATWG: http://www.whatwg.org/specs/web-apps/current-work/#scs-client-side

    As far as I know, the first browser to implement this is Firefox 2.

  39. This is great news, the last thing Microsoft needs is to have a bunch of exploits at launch time. Some people will never be happy!

  40. GK says:

      I don’t know much about the IE7 so this question may be totally irrelevant. Can we develop IE7 or IE7+ add-ins, etc. using WinFX (managed code)?

  41. antoniooi says:

    SECURITY WARNING TO MICROSOFT:

    The "thankyou.aspx" URL sent by jace allows users to bypass WGA check. Good luck.

  42. m1t0s1s says:

    @EricLaw: thanks!

  43. Mark McNally says:

    A bit clueless but does this have an impact on web based wysiwygs such as TinyMCE and FCK ? ? I thought this was control IE used for these apps or has there since been a different control embedded into IE ? ?

  44. EricLaw [MSFT] says:

    @GK: I haven’t used WinFX, but it’s pretty straightforward to create Addons using .NET 2.0.  .NET enables you to expose your .NET object as a COM object, which means that you can use .NET in IE.

  45. Will says:

    Is there a IE7+ beta 3 or is there only a IE7 beta 3??

  46. Here is a screenshot of the forthcoming FreeTextBox4. We’ll have a preview release next week.

  47. Omar Khan (omark-at-microsoft-dot-com) says:

    Hello Andrea,

    If your applicaiton is a web browser based applicaiton, then the recommendation is to transition to one of the free third party components that provide similar functionality:

    http://freetextbox.com/default.aspx

    http://www.fckeditor.net

    If the application is a Windows application (e.g. – C++ or VB), then we will be providing a separate redist that you can ship as part of your specific application.

  48. Chris says:

    How does are the DHTML control and MSHTML related?  We’re planning to use MSHTML in an upcoming app (hosted in a .NET Form).

  49. EricLaw [MSFT] says:

    I believe that the DHTML control is a wrapper around MSHTML.

  50. PatriotB says:

    adam said: "So we’re still looking at august for beta 3?"

    Hehe, bet you’re feeling kinda silly now eh?

    Who was ever looking at August?

  51. mm says:

    I need to load a CString into a DHTML ActiveX control for IE 5.

    If the CString is less than 600,000 chars then u can directly use put_DocumentHTML function.

    But if the CString is more than 600000 chars or so, then the only solution is to use LoadDocument or the LoadURL functions that can read the file from the hard drive. The problem is that the process of writing to the hard drive and reading back slows down things.

    anybody knows wuts wrong with put_DocumentHTML function ???????

  52. John Morrison says:

    Here is a post from July of 2004:

    I am Scott Stearns, the test manager for the Microsoft Internet Explorer team (as Dean says we will be pulling together full bios of people later).  The IE team as we usually say.  Some of us have our individual blogs today, but we also wanted to have one that was focused on what we do every day at work – make Internet Explorer the best way for browsing the web.

    We see how that came to fruition. Seriously guys, give it up. Your stupid browser causes me nothing but headaches. I just had to purchase a crappy PC to run your sleazy operating system and test my sites with IE because you don’t know how to code to standards. Just quit and go work for Firefox so the rest of us can get on with our lives.

  53. amos says:

    HI

    im using dhtmled.ocx component using delphi.

    what alternatives do i have once vista hits the market? i guess that continue the same as it is now wont be possible

    will it be possible to register this ocx manually?

    thanks

  54. Here is a screenshot of the forthcoming FreeTextBox4. We’ll have a preview release next week.

  55. As you may have heard by now, the DHTML Editing Control is not shipping as a part of the Windows Vista…

  56. Ever wonder why Microsoft Outlook Web Access (OWA) has problem displaying message composer for composing

  57. Ever wonder why Microsoft Outlook Web Access (OWA) has problem displaying message composer for composing

  58. When copy/pasting from MS Word, the HTML it generates is really messy and can’t be used verbatim. This

  59. IEBlog says:

    Hi, I’m B. Ashok, the Product Unit Manager for Web Development Tools . As mentioned in my earlier post

  60. Du bruker Windows Vista og får en feilmelding I Windows Vista når du forsøker å redigere e-post o Outlook Web Access. Problemet kommer for eksempel når du forsøker å svare på en e-post i OWA. …

  61. Du bruker Windows Vista og får en feilmelding I Windows Vista når du forsøker å redigere e-post o Outlook Web Access. Problemet kommer for eksempel når du forsøker å svare på en e-post i OWA. …

  62. Last year, we made a post to the IE team blog about the removal of the DHTML Editing Control from the