Outlook View Control View Issue Demo

Outlook View Control Demo

The tests on this page demonstrate a change in functionality for the Outlook View Control version released to patch the security vulnerability described at MS01-038 - Outlook View Control Exposes Unsafe Functionality. The View parameter is no longer available to programmers using the OVC in a web page, outside Outlook.

Unfortunately, instead of simply ignoring the View parameter and degrading gracefully, this change causes any OVC initialized with a View parameter to show the Inbox, instead of the folder listed in the Folder parameter. Test 1 illustrates this.

If code on the page (running outside Outlook) tries to set the View parameter, as shown in Test 3, you will get a Permission Denied error.

Test 1: This view control uses the following code, adapted from Q291407, to try to display the Calendar folder using a standard view:

If you are running this page as an Outlook folder home page, you'll see the Calendar. If you're running it in a digital dashboard or other web application outside Outlook, you'll see the Inbox instead of the Calendar.

Test 2: Click this button

to run this code:

Sub btnShowCal_onclick
ViewCtlFolder.Folder = "Calendar"
End Sub

It should work fine. Setting the Folder parameter is still allowed in all cases.

Test 3: Click this button

to run this code:

Sub btnChangeView_onclick
ViewCtlFolder.View = "Active Appointments"
End Sub

In an Outlook folder home page, it will switch views just fine. In a web page outside Outlook, you will get Error: Permission Denied, because the View property is not longer available when running outside Outlook.

Test 4: This view control uses the same code, only with the View parameter removed:

And it shows the Calendar folder on startup just fine.