In version 10.3.1 of PDF Converter for SharePoint On-Premises and PDF Converter Services, we implemented a couple of improvements to make conversion of HTML sources and URLs safer and less prone to security exploits. This post outlines the security-related updates.
Running HTML-to-PDF Converter with Fewer Privileges
From version 10.3.1, the process that converts HTML sources and URLs into PDFs runs with lowered privileges.
Note: This feature is only available if Chromium HTML-to-PDF converter is used.
Dynamically Removing Potentially Malicious HTML Elements
From version 10.3.1, some HTML elements (iframes and embedded and object elements) are automatically removed when an HTML source or a URL is converted into PDF, which greatly improves security. Dynamically created elements of the unwanted types will be removed as well.
In case the removal of those HTML elements isn’t desired, the following configuration should be adjusted. Only the listed HTML elements will be removed automatically.
<add key="HTMLConverterFullFidelity.RemoveNodes" value="iframe,embed,object"/>
Note: This feature is only available if Chromium HTML-to-PDF converter is used. Furthermore, for Windows Server 2012 R2, it’s available for converting HTML sources but not URLs.
Choosing More Secure Browser Engines
To learn more about choosing secure browser engines, refer to the Configuring the Chromium-Based HTML-to-PDF Converter Knowledge Base article.
Note: This feature is only available if Chromium HTML-to-PDF converter is used.
