XmlResolver Class
[ This article is for Windows Phone 8 developers. If you’re developing for Windows 10, see the latest documentation. ]
Resolves external XML resources named by a Uniform Resource Identifier (URI).
Assembly: System.Xml (in System.Xml.dll)
The XmlResolver type exposes the following members.
| Name | Description | |
|---|---|---|
 | Equals(Object) | Determines whether the specified Object is equal to the current Object. (Inherited from Object.) |
 | Finalize | Allows an object to try to free resources and perform other cleanup operations before the Object is reclaimed by garbage collection. (Inherited from Object.) |
| GetEntity | When overridden in a derived class, maps a URI to an object containing the actual resource. |
| GetHashCode | Serves as a hash function for a particular type. (Inherited from Object.) |
| GetType | Gets the Type of the current instance. (Inherited from Object.) |
| MemberwiseClone | Creates a shallow copy of the current Object. (Inherited from Object.) |
| ResolveUri | When overridden in a derived class, resolves the absolute URI from the base and relative URIs. |
| SupportsType | This method adds the ability for the resolver to return other types than just Stream. |
| ToString | Returns a string that represents the current object. (Inherited from Object.) |
XmlResolver is used to resolve external XML resources, such as entities or document type definitions (DTDs).
Security Considerations
Consider the following items when working with the XmlResolver class.
XmlResolver objects can contain sensitive information such as user credentials. You should be careful when caching XmlResolver objects and should not pass the XmlResolver object to an untrusted component.
If you are designing a class property that uses the XmlResolver class, the property should be defined as a write-only property. The property can be used to specify the XmlResolver to use, but it cannot be used to return an XmlResolver object.
If your application accepts XmlResolver objects from untrusted code, you cannot assume that the URI passed into the GetEntity method will be the same as that returned by the ResolveUri method. Classes derived from the XmlResolver class can override the GetEntity method and return data that is different than what was contained in the original URI.
Your application can mitigate memory Denial of Service threats to the GetEntity method by implementing a wrapping implemented IStream that limits the number of bytes read. This helps to guard against situations where malicious code attempts to pass an infinite stream of bytes to the GetEntity method.