XML DOM Security (Windows Embedded CE 6.0)

  • Article

1/6/2010

XML Core Services and Document Object Model (DOM) has the following potential security risks:

  • The DOM is designed to run over a public network, such as the Internet. If the security of the DOM is compromised, it could expose the Windows Embedded CE-based device or local network to the public network.
  • The DOM supports third party extensions. If these extensions do not use proper security and authentication procedures, they could compromise the security of the Windows Embedded CE-based device or local network.
  • If the DOM is used with Microsoft® Internet Explorer or external entity references, and proper security and authentication procedures are not used, the DOM could compromise the security of the Windows Embedded CE-based device or local network.

Best Practices

Ee502672.collapse(en-US,WinEmbedded.60).gifDisable external references to avoid exhausting system resources

Like HTML, XML will resolve links to external data sources by default. Disabling external references will prevent the XML parser from retrieving information not contained in the XML document itself. You can disable external references by setting either of the following flags immediately after creating the DOM object.

put_resolveExternals(false);

– or –

DOM.resolveExternals = false; (for JScript)

Ee502672.collapse(en-US,WinEmbedded.60).gifSet a limit on the amount of data that an application or server will accept for any document

Large amounts of data can overflow system memory, which may cause system instability. Your application should check the amount of data coming into it. If the amount of incoming information exceeds the maximum amount you set, the application should fail to process the request further and it should not load the data into the DOM.

Ee502672.collapse(en-US,WinEmbedded.60).gifIf your application supplies browsing capabilities, implement a security manager, such as the Internet Explorer Security Manager

XML uses the security zones set by URL Monikers Services (URLMON). You can access these security zones through the URLMON registry settings. You will also need to set the IObjectSafety extensions.

For more information about importing the Internet Explorer Security Manager, see "IObject Safety Extensions for Internet Explorer" on MSDN®.

For more information about URLMON security zones, see URL Security Zones.

Default Registry Settings

URLMON security zones affect XML security. For more information about security zones, see URL Security Zones.

You should be aware of the registry settings that impact security. The registry settings documentation contains Security Note entries with information about security issues.

For general XML registry information, see XML Core Services Registry Settings.

See Also

Other Resources

XML Core Services and Document Object Model
XML DOM Application Development
Enhancing the Security of a Device