Office Viewer Component

1. Solves the crash if you apply the “SaveToServer”  methods in Internet explore.

Now you can call the follow scripts to finish the SaveToServer.

Sub SavetoServer()
    If OA1.IsOpened = True Then
     document.body.style.cursor = “wait”
     OA1.HttpInit
     Dim strFileName
     strFileName = OA1.DocumentName
     If strFileName = “” Then
        strFileName = “yourguid”
        strFileName = strFileName + OA1.GetOpenedFileExt()
     End If
      OA1.HttpAddPostOpenedFile strFileName
      OA1.HttpPost “http://www.ocxt.com/demo/upload_weboffice.php”
      document.body.style.cursor = “default”
      Dim sPath
      On Error Resume Next
      sPath = “Save successfully! You can download it at http://www.ocxt.com/demo/” + strFileName
    MsgBox sPath
 Else
  MsgBox “Please open a document firstly!”
 End If
End Sub

2. Adds some new methods.

Function:  HRESULT GetTempFilePath([out,retval] BSTR* strValue);
Description: Gets a temporary file path.

Function:  HRESULT ClearTempFiles();
Description: Clears these temporary files created by the component. The function won’t delete any other files out of OA temporary directory.

Function:  HRESULT GetOpenedFileExt([out,retval] BSTR* strValue);
Description: Gets the file extend of the current opened file.

Function:  HRESULT GetOpenedFileType([out,retval] OpenedFileType* nType);
Description: Gets the file type of the current opened file.

3. Changes the Insecure Method “void HttpDownloadFile(WebUrl, LocalFile, WebUsername, WebPassword)” to “BSTR HttpDownloadFileToTempDir(WebUrl, WebUsername, VARIANT WebPassword);

Now the component can only download the file to “Internet temporary file directory\OA\”. So anybody can’t use the method to download a file then conver a good system file.

If you are building a .NET application and you are struggling to find a way to host Word documents, Excel spreadsheets, PowerPoint presentations, Visio drawings orProject files, you might consider using the Visual C++ ActiveX Control for hosting Office documents. I learned about this download resource and I was shocked to see how you can add it to your solution and start working with Office applications in less than a minute. You can open Office applications, format content, update documents, save changes, print, and more inside your application. The EDraw Office Viewer Component is an Active X control written in MFC. The download includes some sample codes to use it inside Visual Basic, HTML pages, C#, Asp.NEt. You can also enable and disable specific functionality by using a full set of properties, methods, and events exposed for customization.

You can also host the control inside managed applications following these simple steps:

1. Downlad the EDraw Office Viewer Component.
2. Open Visual Studio .NET. 
3. Open your WinForms or WebForms application.
4. Add the EDraw Office Viewer Component to the Toolbox: 
5. On the Tools menu, click Customize Toolbox (in Visual Studio .NET 2002), or click Add/Remove Toolbox Items (in Visual Studio .NET 2003 or 2005), and then click the COM Components tab. 
6. On the COM Components tab, select EDraw Office Viewer Component. 
7. Click OK to close the Customize Toolbox dialog box.
8. Select the EDraw Office Viewer Component icon that appears in the ToolBox and drag-and-drop the control over the Form or Web Form.
9. Adjust the control’s docking/size as needed.
10. Build and run the application.
11. Create a new document to test the control.
12. You can call more than one hundred methods to customize your application.

EDraw Office Viewer Component version 5.1 released yesterday. New version provides more than one hundred methods. Now you can do some office automation with our component directly. You can open and play the slideshow in a customize form. You can create a new excel workbook then fill in the sheet with the data from your database. You can limit the user to edit or print the Word document by setting the readonly mode.

Now the new version supports both the HTTP and HTTPS. It also supports the website with password. Of course you can upload or download the file via FTP too.

What’s new

1. Support HTTP/HTTPS and the website with the password.

2. You can set the Readonly mode for both Word and Excel.

3. You can play the slideshow in the same window without the web toolbars and the scrollbar.

4. Now it’s no problem to open the hyperlink in the office document.

5. Now it’s no problem to play the media, animation, vedio in the PowerPoint slide file.

6. Support Both Print and PrintPreview. You can enable or disable them too.

7. You can put multiple office programs in a form or open multiple EDraw Office Viewer Component instances in the internet explore.

8. Insert the image, text, html, rtf to your Word document with the office automation interfaces.

9. More setting for rulers, gridlines, toolbars, menubars, titlebar, caption and color scheme.

10. Suport the clipboard operator. You can insert the data into the Word or Excel from the clipbard.

New version has removed the ”DeleteLocalFile” method to avoid the attack. Now the component will delete the temporary files when it exits.

We improved the HTTP download file too and provide a securer download method in the version 5.

The follow article is the vulnerable description about the 4.0 version. 

Multiple vulnerabilities have been identified in EDraw Office Viewer Component v4.0, which could be exploited by remote attackers to delete arbitrary files or take complete control of an affected system.

The first issue is caused by a design error in the “DeleteLocalFile()” method within the “edrawofficeviewer.ocx” ActiveX control, which could be exploited by attackers to delete arbitrary files from a vulnerable system by tricking a user into visiting a specially crafted web page.

The second vulnerability is caused by a buffer overflow error in the “edrawofficeviewer.ocx” ActiveX control when processing malformed arguments passed to the “HttpDownloadFile()” method, which could be exploited by remote attackers to execute arbitrary code via a malicious web page.

In Office Viewer new version, you can use OpenFileFromStream to open a appointed file or open a file in database.

Either you want to open an appointed file or open a file from database, for client side, all what you need do is the
same, like following:

m_oEdrawOfficeViewer.HttpInit();
m_oEdrawOfficeViewer.HttpAddpostString(L”DocumentID”, L”Tester.doc”);
m_oEdrawOfficeViewer.HttpOpenFileFromStream(strDownloadPath,varOpt,varOpt,varOpt);

Before you call function HttpOpenFileFromStream, you should do two things, one is to initialize http for clearing all parameters and cookies in http, another thing is to appoint the file or database record. And then use HttpOpenFileFromStream to send the request to the destinated webpage.
Before HttpOpenFileFromStream send request, it will add a couple of parameters automatically.
m_OAHttp.AddPostArgument(L”EDA_GETSTREAMDATA”, L”EDA_YES”);
This couple of parameters tell the destinated webpage OfficeViewer will received file as stream.

At the web side, webpage will decide to read which file or database reacord accordding to the post parameters.
And you should add boundary flag ‘EDA_STREAMBOUNDARY’ to file data, following is the asp.net demo.

if (Request.Params["EDA_GETSTREAMDATA"] == “EDA_YES”)
{
  String fullFileName = Server.MapPath(Request.Params["DocumentID"]);
  Byte[] fs = File.ReadAllBytes(fullFileName);

  Response.Write(”Get Stream Successfully!”);
  Response.Write(”EDA_STREAMBOUNDARY”);
  Response.BinaryWrite(fs);
  Response.Write(”EDA_STREAMBOUNDARY”);
}

Sub ListCellControls()
k = Application.CommandBars(”Cell”).Controls.Count
For i = 1 To k
Cells(i, 1) = i ‘ID
Cells(i, 2) = Application.CommandBars(”Cell”).Controls(i).Caption
Next i
End Sub