6

On 13. Dezember 2022 Microsoft made a Windows Update KB5020880 (CVE-2022-41089) for .NET 4.8.1 which should fix security problem on XPS.

Since then the FlowDocument, which will be rendered to XPS, will not show local images anymore. I do need local images, because I have to create and embed them dynamically.

<FlowDocument xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation"
              xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"
              PageHeight="29.7cm" 
              PageWidth="21cm" >
    <Section Padding="40,0,20,0">
      <Paragraph>before image</Paragraph>
  
      <Paragraph FontSize="10" FontFamily="Verdana">
        <Image Source="c:/Test/MyImage.jpg" Margin="40,40,0,0" />
      </Paragraph>
  
      <Paragraph>after image</Paragraph>
    </Section>
</FlowDocument>

DocumentViewer shows the FlowDocument like this, as soon as it has been converted into an XpsDocument.

enter image description here

Does anyone has a solution for this?

Any help is very welcome.

Cheers, jaz

jaz
  • 228
  • 2
  • 14
  • Here is a similar question: https://stackoverflow.com/questions/74879585/wpf-xps-document-doesnt-display-images-anymore/74931766 – cplotts Jan 03 '23 at 22:19

3 Answers3

4

There is a github issue about this update. They wrote about an update with fix for this and we are waiting for it.

martindsa
  • 41
  • 2
3

This behaviour seems to be related to a security fix for XPS introduced with the update you refer to. Microsoft provides a workaround document: https://support.microsoft.com/en-gb/topic/kb5022083-change-in-how-wpf-based-applications-render-xps-documents-a4ae4fa4-bc58-4c37-acdd-5eebc4e34556 The Alternate Workaround worked for me, however it will make systems susceptible again for the security issues fixed with the update.

Nils Beckmann
  • 31
  • 3
  • Unfortunately, we can not use the security workaround as customers install our software on their own machines ... and the last thing we want to do is make them vulnerable to a security issue. – cplotts Jan 03 '23 at 22:10
  • 1
    We also tried the PowerShell script that Microsoft provides in that knowledge base article. The PowerShell script adds several string values to the registry under the key Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Windows Presentation Foundation\XPSAllowedTypes. This did not fix the issue. – cplotts Jan 03 '23 at 22:15
  • I ran this: reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\Windows Presentation Foundation\XPSAllowedTypes" /v "DisableDec2022Patch" /t REG_SZ /d "*" /reg:64 And our images reappeared in the Flowdocument (used for print and print preview) However, this is NOT good enough as a solution - if the included Windows XPS Viewer is not affected by this issue, then please tell me how that has been implemented ?? – sergeantKK Jan 04 '23 at 17:05
  • Yes @sergeantKK, that is exactly the security workaround that we do not want to use ... as it simply disables the security fix. – cplotts Jan 04 '23 at 18:59
  • Unfortunately these registry entries did not work for us. Images stay invisible. – jaz Jan 11 '23 at 16:49
1

We are running into a similar problem. This doesn't work for everyone, but if you can switch from FlowDocument to FixedDocument, that can solve the problem also. FixedDocument doesn't seem to be affected by this latest MS security change. Perhaps it is the "flowing/resizing" part that was insecure.

Jeff
  • 333
  • 2
  • 10
  • I am not having a problem with FixedDocument either but I am with our dynamic report generator which uses flow document. However even using FixedDocument the preview does not work (saving as a PDF does) I wonder is this is because we are using documentPaginator in the preview method. – Dax Jan 09 '23 at 16:50
  • I am awarding the bounty to this answer because I was able to use a FixedDocument approach to getting around the issue. I want to note two other things as well. First, our printing implementation did not utilize a FlowDocument ... it used a XpsDocument and writing Visual(s) using System.Windows.Xps.VisualsToXpsDocument class (accessed by CreateVisualsCollator off of the XpsDocumentWriter). – cplotts Jan 09 '23 at 17:32
  • The second thing I want to note is that Microsoft is currently working on a fix. See the link in @martindsa's answer for more information. – cplotts Jan 09 '23 at 17:33
  • Our report renderer creates FixedDocument from FlowDocuments. Same problem, images stay invisible in FixedDocuments. – jaz Jan 11 '23 at 16:51
  • Hopefully you're not calling XpsDocument.GetFixedDocumentSequence. That call definitely causes the issue. I think the real issue with FlowDocument is with the Paginator. If you avoid those 2 things, I'm surprised your FixedDocument won't show images. – Jeff Jan 11 '23 at 22:08