Serialization is the process of writing values in C data structures (structs, arrays, and primitive values) as an XML element. Deserialization is the reverse process.
Serialization is the process of writing values in C data structures (structures, arrays, and primitive values) as an XML element. Deserialization is the reverse process.
Both processes rely on a description of the mapping between the C data structures and the XML.
XML Reader is used in deserialization process. Refer to the security section in XML Reader for XML related security information.
The deserializer continues to deserialize data until it has completed reading the element being deserialized. Deserialization process fails when it encounter any XML document that does not conform to the description of the data being deserialized. At that point XML reader being used becomes invalid, and an error is returned.
By default deserialization is strict. Some conditions that cause deserialization to fail include but not limited to:
- Expected elements is missing
- Unexpected element fields appear between required elements
- Extra element content after required fields, unless WS_STRUCT_IGNORE_TRAILING_ELEMENT_CONTENT
- Unexpected attributes, unless WS_STRUCT_IGNORE_UNHANDLED_ATTRIBUTES flag is specified
- Unexpected data type value that is out of specified range
- Count of repeating element is out of the specified range
Serializing large amount of data might cause excessive memory allocation and can cause denial of service attack. The user that is deserializing data must specify a Heap object to allocate the data, and the user can use the heap allocation limit to prevent memory allocation attack.
Range support for data types, including max length for string, max element count in array, etc. allows the user to control the maximum size for different data types. User can specify range in data description or schema to limit the maximum size of different data.
A string value containing an embedded zero is supported in the wire formats (text, binary, MTOM). When deserializing a string with an embedded zero, the user should use a counted string (WS_STRING) so the zero will not confuse the calculation of the length of the string. If a string value containing an embedded zero is deserialized into a field that is expecting a zero-terminated string, an error is returned, and deserialization fails. If wsutil is used to generate data descriptions, /string:WS_STRING option should be used if string with embedded zero is expected.
The following callbacks are used with serialization: