John: You may also want to scan for an INCLUDEPICTURE field. According to some recently published articles, it's potentially even more dangerous than INCLUDETEXT because it can contain an arbitrary URL that can be generated from VBA variables and/or function calls. --Brett