In the dnprdnext release, the erload:System.Xml.XmlReader.Create method is the preferred mechanism for obtaining System.Xml.XmlReader instances. The erload:System.Xml.XmlReader.Create method uses the System.Xml.XmlReaderSettings class to specify which features to implement in the created System.Xml.XmlReader object.

For more information, see Creating XML Readers.

Security Considerations

The following are things to consider when using the System.Xml.XmlReaderSettings class.

• The System.Xml.Schema.XmlSchemaValidationFlags.ProcessInlineSchema and System.Xml.Schema.XmlSchemaValidationFlags.ProcessSchemaLocation validation flags of an System.Xml.XmlReaderSettings object are not set by default. When these flags are set, the XmlReaderSettings.XmlResolver of the System.Xml.XmlReaderSettings object is used to resolve schema locations encountered in the instance document in the System.Xml.XmlReader. If the XmlReaderSettings.XmlResolver object is null, schema locations are not resolved even if the System.Xml.Schema.XmlSchemaValidationFlags.ProcessInlineSchema and System.Xml.Schema.XmlSchemaValidationFlags.ProcessSchemaLocation validation flags are set.

• Schemas added during validation add new types and can change the validation outcome of the document being validated. As a result, external schemas should only be resolved from trusted sources.

• Validation error messages may expose sensitive content model information. Validation error and warning messages are handled using the System.Xml.Schema.ValidationEventHandler delegate, or are exposed as an System.Xml.Schema.XmlSchemaValidationException if no event handler is provided to the System.Xml.XmlReaderSettings object (validation warnings do not cause an System.Xml.Schema.XmlSchemaValidationException to be thrown). This content model information should not be exposed in untrusted scenarios. Validation warning messages are suppressed by default and can be reported by setting the System.Xml.Schema.XmlSchemaValidationFlags.ReportValidationWarnings flag.

• The System.Xml.Schema.XmlSchemaException.SourceUri property of an System.Xml.Schema.XmlSchemaValidationException returns the URI path to the schema file that caused the exception. The System.Xml.Schema.XmlSchemaException.SourceUri property should not be exposed in untrusted scenarios.

• Disabling the System.Xml.Schema.XmlSchemaValidationFlags.ProcessIdentityConstraints flag (enabled by default) is recommended when validating, untrusted, large XML documents in high availability scenarios against a schema with identity constraints over a large part of the document.

• System.Xml.XmlReaderSettings objects can contain sensitive information such as user credentials. You should be careful when caching System.Xml.XmlReaderSettings objects, or when passing the System.Xml.XmlReaderSettings object from one component to another.

• DTD processing is disabled by default. If you enable DTD processing, you need to be aware of including DTDs from untrusted sources and possible denial of service attacks. Use the System.Xml.XmlSecureResolver to restrict the resources that the System.Xml.XmlReader can access.

• Do not accept supporting components, such as System.Xml.NameTable, System.Xml.XmlNamespaceManager, and System.Xml.XmlResolver objects, from an untrusted source.

• Memory usage of an application that uses System.Xml.XmlReader may have a correlation to the size of the parsed XML document. One form of denial of service attack is when excessively large XML documents are submitted to be parsed. You can limit the size of the document that can be parsed by setting the XmlReaderSettings.MaxCharactersInDocument property and then limit the number of characters that result from expanding entities by setting the XmlReaderSettings.MaxCharactersFromEntities property.

Namespace: System.Xml
Assembly: System.Xml (in System.Xml.dll)
Assembly Versions: 2.0.0.0, 4.0.0.0
Since: .NET 2.0