System.Xml.XmlTextReader provides forward-only, read-only access to a stream of XML data. The current node refers to the node on which the reader is positioned. The reader is advanced using any of the read methods and properties reflect the value of the current node.

This class implements System.Xml.XmlReader and conforms to the W3C Extensible Markup Language (XML) 1.0 and the Namespaces in XML recommendations. XmlTextReader provides the following functionality:

• Enforces the rules of well-formed XML.

• XmlTextReader does not provide data validation.

• Checks that DocumentType nodes are well-formed. XmlTextReader checks the DTD for well-formedness, but does not validate using the DTD.

• For nodes where XmlTextReader.NodeType is XmlNodeType.EntityReference, a single empty EntityReference node is returned (that is, the XmlTextReader.Value property is String.Empty).

• Does not expand default attributes.

Because the XmlTextReader does not perform the extra checks required for data validation, it provides a fast well-formedness parser.

To perform data validation, use a validating System.Xml.XmlReader. For more information, see Validating XML Data with XmlReader.

To read XML data from an System.Xml.XmlDocument, use System.Xml.XmlNodeReader.

XmlTextReader throws an System.Xml.XmlException on XML parse errors. After an exception is thrown the state of the reader is not predictable. For example, the reported node type may be different than the actual node type of the current node. Use the XmlTextReader.ReadState property to check whether a reader is in error state.

For further discussion on the XmlReader classes, see Reading XML with the XmlReader.

Security Considerations

The following are things to consider when using the System.Xml.XmlTextReader class.

• Exceptions thrown the System.Xml.XmlTextReader can disclose path information that you do not want bubbled up to the application. Your applications must catch exceptions and process them appropriately.

• DTD processing is enabled by default. Disable DTD processing if you are concerned about Denial of Service issues or if you are dealing with untrusted sources. Set the XmlTextReader.DtdProcessing property to DtdProcessing.Prohibit to disable DTD processing.

  If you have DTD processing enabled, you can use the System.Xml.XmlSecureResolver to restrict the resources that the System.Xml.XmlTextReader can access. You can also design your application so that the XML processing is memory and time constrained. For example, configure time-out limits in your ASP.NET application.

• XML data can include references to external resources such as a DTD file. By default external resources are resolved using an System.Xml.XmlUrlResolver object with no user credentials. You can secure this further by doing one of the following:

• XML data can contain a large number of attributes, namespace declarations, nested elements and so on that require a substantial amount of time to process. To limit the size of the input that is sent to the System.Xml.XmlTextReader, create a custom IStream implementation and supply it the System.Xml.XmlTextReader.

• The XmlReader.ReadValueChunk(Char[], int, int) method can be used to handle large streams of data. This method reads a small number of characters at a time instead of allocating a single string for the whole value.

• By default general entities are not expanded. General entities are expanded when you call the XmlTextReader.ResolveEntity method.

All public static members of this type are safe for multithreaded operations. No instance members are guaranteed to be thread safe.

Namespace: System.Xml
Assembly: System.Xml (in System.Xml.dll)
Assembly Versions: 1.0.5000.0, 2.0.0.0, 4.0.0.0