Are XPS Files Safe to Open?

If you have received an unexpected .xps or .oxps file, it is reasonable to ask whether opening it is safe. The short answer: XPS files carry a lower macro risk than Office documents, but they are not inherently harmless. This page explains the actual threat surface, what the format can and cannot contain, and the privacy considerations around online conversion.

What an XPS file actually contains

An XPS file is a ZIP archive using Open Packaging Conventions. Inside are XAML markup files describing page content, an OPC manifest, and embedded resources — fonts, images, and colour profiles. The format was designed as a fixed-layout output, not an interactive document, so the specification does not include scripting, form fields, or executable content of any kind.

Crucially, XPS files do not support Office macros — the VBA or VBScript code that makes Word's .docm and Excel's .xlsm formats dangerous in phishing campaigns. An XPS file cannot run a macro when opened in the XPS Viewer.

Real risks: vulnerabilities in the viewer

The absence of macros does not mean zero risk. Any sufficiently complex file parser can have vulnerabilities, and the Microsoft XPS Viewer has had CVEs in the past (as has every document viewer). A maliciously crafted XPS file could, in theory, exploit a parsing bug in the viewer software. This risk is not unique to XPS — PDF, DOCX, and image formats have all been attacked the same way.

The practical mitigations are the same as for any document format:

Keep Windows and the XPS Viewer updated so security patches are current.
Run a scan with Windows Defender (or your AV of choice) before opening a file from an unexpected source.
Be cautious with files arriving via email from unknown senders — the format matters less than the provenance.

XPS and embedded content

An XPS file can embed fonts, ICC colour profiles, and images (JPEG, PNG, TIFF). Embedded images and fonts are rendered by the viewer, which is the same surface area as opening those resources directly. Historically, font-parsing and image-decoding vulnerabilities have been exploited in PDF readers; the same class of bug could apply to XPS.

XPS cannot embed JavaScript, Flash, or other active content. It also cannot link to external resources that load over the network at open time (unlike some PDF configurations that ping remote tracking URLs when opened). From a privacy standpoint, this makes XPS slightly simpler than PDF.

Is converting online safe?

Sending a file to an online converter involves a trust decision. For XPS2PDF.co.uk, the facts are:

Encrypted transfer: Files are uploaded and downloaded over HTTPS.
Automatic deletion: Files are deleted within 60 minutes of upload, regardless of whether you download the result.
No human review: Processing is automated. No staff member reads your documents.
Operated by themediaflow Ltd, based in Saffron Walden, UK. Online since 2009.

For confidential documents — medical records, legal contracts, personal ID — judge the risk against the sensitivity of the content. Converting a scanner receipt to PDF is low risk. Uploading a signed NDA is a higher bar that each user must weigh themselves.

Prefer not to open an unknown XPS file directly? Convert it to PDF at XPS2PDF.co.uk — HTTPS transfer, no human review, files deleted within 60 minutes.

Frequently asked questions

Can an XPS file contain a virus?

In the sense of a macro virus, no — XPS has no macro or scripting support. However, a maliciously crafted XPS could exploit a vulnerability in the viewer software, like any complex file format. Scanning with antivirus software before opening is sensible for files from unknown sources.

Can XPS files contain macros like Word documents?

No. XPS is a fixed-layout output format and does not support VBA, VBScript, or any other macro language. This is a genuine security advantage over .docm and .xlsm files.

Is it safe to upload an XPS file to an online converter?

For non-sensitive documents it is generally fine, provided the service uses HTTPS, deletes files promptly, and has a clear privacy policy. XPS2PDF.co.uk encrypts transfers, deletes files within 60 minutes, and processes conversions automatically without human review.

Does an XPS file load remote content when opened?

No. The XPS specification does not include external resource references that load over the network at open time. This makes it somewhat simpler from a privacy standpoint than some PDF configurations.

Should I scan an XPS file before opening it?

Yes, if it arrived from an unknown or unexpected source. Windows Defender can scan individual files by right-clicking them. The format itself is lower-risk than macro-enabled Office formats, but parser vulnerabilities exist in all document viewers.

Last updated: June 2026