1. Home
  2. Forum
  3. ASP.NET Core - EJ 2
  4. HtmlConverter and MSHTML dll

HtmlConverter and MSHTML dll

Hi,

Is Microsoft.mshtml.dll used behind the scene while generating pdf using IE Render, QtWebKit and Blink Binaries?  I was under the impression that only IE Render would need it and not QtWebKit and Blinks but Microsoft .mshtml.dll is a reference dll in Syncfusion.HtmlConverter.Base.dll and added to project bin directory when I add nuget package in the project. 

The reason I am asking this is, recently security team of our organisation have pointed out vulnerability in MSHTML  (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444) and asked for the remediation.

Can you please advise what's the remediation?


Thanks

PP


9 Replies
GK Gowthamraj Kumar Syncfusion Team November 23, 2021 11:44 AM UTC

Hi Parth, 

Thank you for contacting Syncfusion support.

 
Yes. IE rendering engine internally make use of Microsoft’s MSHTML for converting the HTML files to vector images, from that images we will render the content to PDF document. Please refer the below link for IE limitation, 
 
If you are unable to use IE rendering engine, we are suggested you to try our new Blink based HTML converter to achieve your requirements. Blink converter internally make use of chromium executable in headless mode for converting HTML to PDF.    
  
Kindly refer below link for more information about our Blink converter.        

Please let us know if you need any further assistance with this. 

Regards, 
Gowthamraj K 


PA Parth November 23, 2021 02:56 PM UTC

Thank you for the reply Gowthamraj.

But the problem is when I use nuget package for Blink, it adds Htmlconveter.Base.dll along with Microsoft.mshtml.dll. If Mshtml is only being used for IE rendering engine, don't you think it shouldn't be refer in Htmlconveter.Base.dll and be referred in assemblies of IE render nuget package? Is there any technical reason for referring mshtml in HrmlConverter.base.dll?

Thanks

PP


GK Gowthamraj Kumar Syncfusion Team November 24, 2021 02:37 PM UTC

Hi Parth, 
 
Thank you for your update. 
 
For ASP Net Core application, you need to install the Blink (https://www.nuget.org/packages/Syncfusion.HtmlToPdfConverter.Blink.Net.Core.Windows/ ) NuGet package for converting HTML to PDF document using Blink. Without the Microsoft.MSHTML dll file, Blink conversion will works properly. In Base assemblies, we have generated a common assemblies which contains required references for all the rendering engine (including IE), so that the assemblies refer in the HtmlConverter.Base.dll, its required for HtmlConverter.Base assemblies. 
 
We have attached the Net core sample for Blink conversion, please find the sample from below, 
 
Please let us know if you need any further assistance with this. 
 
Regards, 
Gowthamraj K 


PA Parth November 24, 2021 07:35 PM UTC

Hi Gowthamraj, 

That's surely a wierd design decision (according to architecture, senior architecture and enterprise architecture of my organization) as in general the purpose of the base assembly is to hold common functionalities used in all top level assemblies but not specific to one assembly (IE rendering engine in this case). If third party reference assemblies that is as old as mshtml and likely to have security concerns, why add it in a base assembly where they are not used? It's a potential red flag.

To give you a little background,  the organization I work at is a group of several companies and is holding a license of Syncfusion. Unfortunately due to mshtml issue they are currently reviewing the potential risk in third party assemblies including Syncfusion. They are more interested to know if Syncfusion can fix this in the future release or not? Can you please pass this message to dev team and advise what they are thinking?


Thanks

PP


GK Gowthamraj Kumar Syncfusion Team November 25, 2021 03:08 PM UTC

Hi Parth, 

Thank you for your patience. 

Currently, we are analyzing this on our end and we will update the further details on November 29th 2021. 

Regards, 
Gowthamraj K 


PV Prakash Viswanathan Syncfusion Team November 29, 2021 04:50 PM UTC

Hi Parth, 

Thank you for your patience.  

We have further analysed about your requirement, but our HTML Converter base is common .NET Framework library for IE, WebKit and Blink rendering engine. But WebKit and Blink rendering engine does not requires Microsoft.mshtml.dll, we can convert HTML to PDF without Microsoft.mshtml.dll using WebKit and Blink rendering engine.  

If you did not using IE rendering engine, you can remove the Microsoft.mshtml.dll reference from your project. The conversion will work flawless in WebKit and Blink without this dll. So, that you can avoid this security vulnerability issue with Microsoft.mshtml.dll. Currently, we do not have any plans to provide separate libraries for each rendering engine. Kindly use the above solution to resolve this issue.  

Please refer below screenshot,  

 

Regards, 
Prakash V 


PA Parth November 30, 2021 10:38 PM UTC

Hi Prakash,


I understand if dev team has no plan to make the change I proposed but can that be in to-do list? The reason is, surely I could have get rid of reference of mshtml but only if I have added reference of it in project directly along with other Syncfusion dlls from a physical location but we are using nuget package that automatically copy mshtml dll during compilation. Can you advise how can I use Blink nuget package without letting it coping mshtml dll?


Thanks

PP



SG Sivaram Gunabalan Syncfusion Team December 1, 2021 05:34 PM UTC

Hi Parth, 
 
Sorry for the inconvenience caused. 
 
Currently , we are checking on removing the mshtml.dll file while compiling the blink nuget package in project and we will update the further details on December 3rd ,2021. 
 
Regards, 
Sivaram G 


SG Sivaram Gunabalan Syncfusion Team December 4, 2021 03:32 PM UTC

Hi Parth, 
 
Thank you for your patience. 
 
We have planned to build the HtmlToPdfConverter base assemblies without referring the Microsoft.mshtml.dll for Blink/WebKit rendering engine. We are planning to complete and included the updated assemblies in our upcoming release. We usually have an interval of at least three months between releases and at the planning stage for every release cycle, we review all open features. We will implement this feature in any of our upcoming releases and update you once it is implemented. You can track the status of this feature using this feedback. 
 
You can track the status of the implementation in the below feedback.     
 
Regards, 
Sivaram G  


Loader.
Up arrow icon