XML Reader is a cursor over an input source of XML. At its core, an XML Reader reads one XML Node at a time, but there are additional helper APIs to make reading a sequence of nodes easier.
The following types of readers input are supported:
The reader will verify that the attributes present on an element are unique. The time required to perform this validation is a function of the number of attributes on the element which can be as large as WS_XML_READER_PROPERTY_MAX_ATTRIBUTES. Therefore, processing large documents when WS_XML_READER_PROPERTY_MAX_ATTRIBUTES is set to a large value may present an opportunity for a denial of service attack.
The reader will map prefixes to namespaces for each element and attributes. The time required to perform this mapping is a function of the number of xmlns attributes in scope which may be as large as WS_XML_READER_PROPERTY_MAX_NAMESPACES. Therefore, processing large documents when this property is set to a large value may present an opportunity for a denial of service attack.
While the reader will ensure that the document follows the grammatical specification of xml and furthermore that its aspects are within the quotas specified, the content of the document must still be considered untrusted when coming from an untrusted source. Users of the reader should check all element and attribute names and namespaces using WsReadToStartElement, WsFindAttribute, or by manually inspecting nodes.
Some other situations to consider include, but are not limited to:
- Expected elements may be missing
- Unexpected elements may appear
- Expected attributes may be missing
- Unexpected attributes may appear
- Elements may appear as empty elements
- Whitespace may appear in unexpected places
Users of the reader should not allocate memory based simply on values read from the document. For example, consider the following xml document:
<array count='1000000'> <!-- malicious document provider didn't actually provide 1000000 array items --> </array>
Allocating an array based soley on the assumption that some number of elements will follow would be a potential attack vector. The user of the reader in this case should instead incrementally allocate the memory as the elements appear.
XML reader does not support DTD. The user of the reader does not need to concern about DTD verification.
The following callback is used with XML readers: