Export (0) Print
Expand All
0 out of 4 rated this helpful - Rate this topic

XmlReaderSettings Class

Specifies a set of features to support on the XmlReader object created by the Create method.

Namespace: System.Xml
Assembly: System.Xml (in system.xml.dll)

public sealed class XmlReaderSettings
public final class XmlReaderSettings
public final class XmlReaderSettings
Not applicable.

In the Microsoft .NET Framework version 2.0 release, the Create method is the preferred mechanism for obtaining XmlReader instances. The Create method uses the XmlReaderSettings class to specify which features to implement in the created XmlReader object.

For more information, see Creating XML Readers.

Security Considerations

The following are things to consider when using the XmlReaderSettings class.

  • The ProcessInlineSchema and ProcessSchemaLocation validation flags of an XmlReaderSettings object are not set by default. When these flags are set, the XmlResolver of the XmlReaderSettings object is used to resolve schema locations encountered in the instance document in the XmlReader. If the XmlResolver object is a null reference (Nothing in Visual Basic), schema locations are not resolved even if the ProcessInlineSchema and ProcessSchemaLocation validation flags are set.

  • Schemas added during validation add new types and can change the validation outcome of the document being validated. As a result, external schemas should only be resolved from trusted sources.

  • Validation error messages may expose sensitive content model information. Validation error and warning messages are handled using the ValidationEventHandler delegate, or are exposed as an XmlSchemaValidationException if no event handler is provided to the XmlReaderSettings object (validation warnings do not cause an XmlSchemaValidationException to be thrown). This content model information should not be exposed in untrusted scenarios. Validation warning messages are suppressed by default and can be reported by setting the ReportValidationWarnings flag.

  • The SourceUri property of an XmlSchemaValidationException returns the URI path to the schema file that caused the exception. The SourceUri property should not be exposed in untrusted scenarios.

  • Disabling the ProcessIdentityConstraints flag (enabled by default) is recommended when validating, untrusted, large XML documents in high availability scenarios against a schema with identity constraints over a large part of the document.

  • XmlReaderSettings objects can contain sensitive information such as user credentials. You should be careful when caching XmlReaderSettings objects, or when passing the XmlReaderSettings object from one component to another.

  • DTD processing is disabled by default. If you enable DTD processing, you need to be aware of including DTDs from untrusted sources and possible denial of service attacks. Use the XmlSecureResolver to restrict the resources that the XmlReader can access.

  • Do not accept supporting components, such as NameTable, XmlNamespaceManager, and XmlResolver objects, from an untrusted source.

  • Memory usage of an application that uses XmlReader may have a correlation to the size of the parsed XML document. One form of denial of service attack is when excessively large XML documents are submitted to be parsed. You can limit the size of the document that can be parsed by setting the MaxCharactersInDocument property and then limit the number of characters that result from expanding entities by setting the MaxCharactersFromEntities property.

The following example creates an XmlReader that uses an XmlUrlResolver with the necessary credentials.

// Create an XmlUrlResolver with the credentials necessary to access the Web server.
XmlUrlResolver resolver = new XmlUrlResolver();
System.Net.NetworkCredential myCred;
myCred  = new System.Net.NetworkCredential(UserName,SecurelyStoredPassword,Domain);  
resolver.Credentials = myCred;

XmlReaderSettings settings = new XmlReaderSettings();
settings.XmlResolver = resolver;

// Create the reader.
XmlReader reader = XmlReader.Create("http://serverName/data/books.xml", settings);

System.Object
  System.Xml.XmlReaderSettings
Any public static (Shared in Visual Basic) members of this type are thread safe. Any instance members are not guaranteed to be thread safe.

Windows 98, Windows Server 2000 SP4, Windows CE, Windows Millennium Edition, Windows Mobile for Pocket PC, Windows Mobile for Smartphone, Windows Server 2003, Windows XP Media Center Edition, Windows XP Professional x64 Edition, Windows XP SP2, Windows XP Starter Edition

The Microsoft .NET Framework 3.0 is supported on Windows Vista, Microsoft Windows XP SP2, and Windows Server 2003 SP1.

.NET Framework

Supported in: 3.0, 2.0

.NET Compact Framework

Supported in: 2.0

XNA Framework

Supported in: 1.0
Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft. All rights reserved.