XmlResolver Class

Resolves external XML resources named by a Uniform Resource Identifier (URI).

Namespace: System.Xml
Assembly: System.Xml (in system.xml.dll)

public abstract class XmlResolver
public abstract class XmlResolver
public abstract class XmlResolver

XmlResolver is used to resolve external XML resources, such as entities, document type definitions (DTDs), or schemas. It is also used to process include and import elements found in Extensible StyleSheet Language (XSL) style sheets or XML Schema definition language (XSD) schemas.

XmlUrlResolver is a concrete implementation of XmlResolver and is the default resolver for all classes in the System.Xml namespace. You can also create your own resolver.

Security Considerations

You should consider the following items when working with the XmlResolver class.

  • XmlResolver objects can contain sensitive information such as user credentials. You should be careful when caching XmlResolver objects and should not pass the XmlResolver object to an untrusted component.

  • If you are designing a class property that uses the XmlResolver class, the property should be defined as a write-only property. The property can be used to specify the XmlResolver to use, but it cannot be used to return an XmlResolver object.

  • If your application accepts XmlResolver objects from untrusted code, you cannot assume that the URI passed into the GetEntity method will be the same as that returned by the ResolveUri method. Classes derived from the XmlResolver class can override the GetEntity method and return data that is different than what was contained in the original URI.

  • Your application can mitigate memory Denial of Service threats to the GetEntity method by implementing a wrapping implemented IStream that limits the number of bytes read. This helps to guard against situations where malicious code attempts to pass an infinite stream of bytes to the GetEntity method.

The following example creates an XmlReader that uses an XmlUrlResolver with default credentials.

// Create an XmlUrlResolver with default credentials.
XmlUrlResolver resolver = new XmlUrlResolver();
resolver.Credentials = CredentialCache.DefaultCredentials;

// Create the reader.
XmlReaderSettings settings = new XmlReaderSettings();
settings.XmlResolver = resolver;
XmlReader reader = XmlReader.Create("http://serverName/data/books.xml");

Any public static (Shared in Visual Basic) members of this type are thread safe. Any instance members are not guaranteed to be thread safe.

Windows 98, Windows 2000 SP4, Windows CE, Windows Millennium Edition, Windows Mobile for Pocket PC, Windows Mobile for Smartphone, Windows Server 2003, Windows XP Media Center Edition, Windows XP Professional x64 Edition, Windows XP SP2, Windows XP Starter Edition

The .NET Framework does not support all versions of every platform. For a list of the supported versions, see System Requirements.

.NET Framework

Supported in: 2.0, 1.1, 1.0

.NET Compact Framework

Supported in: 2.0, 1.0