System.Xml Namespace

 

The System.Xml namespace provides standards-based support for processing XML.

ClassDescription
System_CAPS_pubclassNameTable

Implements a single-threaded XmlNameTable.

System_CAPS_pubclassUniqueId

A unique identifier optimized for Guids.

System_CAPS_pubclassXmlAttribute

Represents an attribute. Valid and default values for the attribute are defined in a document type definition (DTD) or schema.

System_CAPS_pubclassXmlAttributeCollection

Represents a collection of attributes that can be accessed by name or index.

System_CAPS_pubclassXmlBinaryReaderSession

Enables optimized strings to be managed in a dynamic way.

System_CAPS_pubclassXmlBinaryWriterSession

Enables using a dynamic dictionary to compress common strings that appear in a message and maintain state.

System_CAPS_pubclassXmlCDataSection

Represents a CDATA section.

System_CAPS_pubclassXmlCharacterData

Provides text manipulation methods that are used by several classes.

System_CAPS_pubclassXmlComment

Represents the content of an XML comment.

System_CAPS_pubclassXmlConvert

Encodes and decodes XML names, and provides methods for converting between common language runtime types and XML Schema definition language (XSD) types. When converting data types, the values returned are locale-independent.

System_CAPS_pubclassXmlDataDocument

Obsolete.Allows structured data to be stored, retrieved, and manipulated through a relational DataSet.

System_CAPS_pubclassXmlDeclaration

Represents the XML declaration node <?xml version='1.0'...?>.

System_CAPS_pubclassXmlDictionary

Implements a dictionary used to optimize Windows Communication Foundation (WCF)'s XML reader/writer implementations.

System_CAPS_pubclassXmlDictionaryReader

An abstract class that the Windows Communication Foundation (WCF) derives from XmlReader to do serialization and deserialization.

System_CAPS_pubclassXmlDictionaryReaderQuotas

Contains configurable quota values for XmlDictionaryReaders.

System_CAPS_pubclassXmlDictionaryString

Represents an entry stored in a XmlDictionary.

System_CAPS_pubclassXmlDictionaryWriter

Represents an abstract class that Windows Communication Foundation (WCF) derives from XmlWriter to do serialization and deserialization.

System_CAPS_pubclassXmlDocument

Represents an XML document.

You can use this class to load, validate, edit, add, and position XML in a document. For examples, see the Remarks section on this page.

System_CAPS_pubclassXmlDocumentFragment

Represents a lightweight object that is useful for tree insert operations.

System_CAPS_pubclassXmlDocumentType

Represents the document type declaration.

System_CAPS_pubclassXmlElement

Represents an element.

System_CAPS_pubclassXmlEntity

Represents an entity declaration, such as <!ENTITY... >.

System_CAPS_pubclassXmlEntityReference

Represents an entity reference node.

System_CAPS_pubclassXmlException

Returns detailed information about the last exception.

System_CAPS_pubclassXmlImplementation

Defines the context for a set of XmlDocument objects.

System_CAPS_pubclassXmlLinkedNode

Gets the node immediately preceding or following this node.

System_CAPS_pubclassXmlNamedNodeMap

Represents a collection of nodes that can be accessed by name or index.

System_CAPS_pubclassXmlNamespaceManager

Resolves, adds, and removes namespaces to a collection and provides scope management for these namespaces.

System_CAPS_pubclassXmlNameTable

Table of atomized string objects.

System_CAPS_pubclassXmlNode

Represents a single node in the XML document.

System_CAPS_pubclassXmlNodeChangedEventArgs
System_CAPS_pubclassXmlNodeList

Represents an ordered collection of nodes.

System_CAPS_pubclassXmlNodeReader

Represents a reader that provides fast, non-cached forward only access to XML data in an XmlNode.

System_CAPS_pubclassXmlNotation

Represents a notation declaration, such as <!NOTATION... >.

System_CAPS_pubclassXmlParserContext

Provides all the context information required by the XmlReader to parse an XML fragment.

System_CAPS_pubclassXmlProcessingInstruction

Represents a processing instruction, which XML defines to keep processor-specific information in the text of the document.

System_CAPS_pubclassXmlQualifiedName

Represents an XML qualified name.

System_CAPS_pubclassXmlReader

Represents a reader that provides fast, noncached, forward-only access to XML data.

To browse the .NET Framework source code for this type, see the Reference Source.

System_CAPS_pubclassXmlReaderSettings

Specifies a set of features to support on the XmlReader object created by the Create method.

System_CAPS_pubclassXmlResolver

Resolves external XML resources named by a Uniform Resource Identifier (URI).

System_CAPS_pubclassXmlSecureResolver

Helps to secure another implementation of XmlResolver by wrapping the XmlResolver object and restricting the resources that the underlying XmlResolver has access to.

System_CAPS_pubclassXmlSignificantWhitespace

Represents white space between markup in a mixed content node or white space within an xml:space= 'preserve' scope. This is also referred to as significant white space.

System_CAPS_pubclassXmlText

Represents the text content of an element or attribute.

System_CAPS_pubclassXmlTextReader

Represents a reader that provides fast, non-cached, forward-only access to XML data.

Starting with the .NET Framework 2.0, we recommend that you use the System.Xml.XmlReader class instead.

System_CAPS_pubclassXmlTextWriter

Represents a writer that provides a fast, non-cached, forward-only way of generating streams or files containing XML data that conforms to the W3C Extensible Markup Language (XML) 1.0 and the Namespaces in XML recommendations.

Starting with the .NET Framework 2.0, we recommend that you use the System.Xml.XmlWriter class instead.

System_CAPS_pubclassXmlUrlResolver

Resolves external XML resources named by a Uniform Resource Identifier (URI).

System_CAPS_pubclassXmlValidatingReader

Obsolete.Represents a reader that provides document type definition (DTD), XML-Data Reduced (XDR) schema, and XML Schema definition language (XSD) validation.

This class is obsolete. Starting with the .NET Framework 2.0, we recommend that you use the XmlReaderSettings class and the XmlReader.Create method to create a validating XML reader.

System_CAPS_pubclassXmlWhitespace

Represents white space in element content.

System_CAPS_pubclassXmlWriter

Represents a writer that provides a fast, non-cached, forward-only way to generate streams or files that contain XML data.

System_CAPS_pubclassXmlWriterSettings

Specifies a set of features to support on the XmlWriter object created by the XmlWriter.Create method.

System_CAPS_pubclassXmlXapResolver

Obsolete.The XmlXapResolver type is used to resolve resources in the Silverlight application’s XAP package.

InterfaceDescription
System_CAPS_pubinterfaceIApplicationResourceStreamResolver

Obsolete.Represents an application resource stream resolver.

System_CAPS_pubinterfaceIFragmentCapableXmlDictionaryWriter

Contains properties and methods that when implemented by a XmlDictionaryWriter, allows processing of XML fragments.

System_CAPS_pubinterfaceIHasXmlNode

Enables a class to return an XmlNode from the current context or position.

System_CAPS_pubinterfaceIStreamProvider

Represents an interface that can be implemented by classes providing streams.

System_CAPS_pubinterfaceIXmlBinaryReaderInitializer

Provides methods for reinitializing a binary reader to read a new document.

System_CAPS_pubinterfaceIXmlBinaryWriterInitializer

Specifies implementation requirements for XML binary writers that derive from this interface.

System_CAPS_pubinterfaceIXmlDictionary

An interface that defines the contract that an Xml dictionary must implement to be used by XmlDictionaryReader and XmlDictionaryWriter implementations.

System_CAPS_pubinterfaceIXmlLineInfo

Provides an interface to enable a class to return line and position information.

System_CAPS_pubinterfaceIXmlMtomReaderInitializer

Specifies implementation requirements for XML MTOM readers that derive from this interface.

System_CAPS_pubinterfaceIXmlMtomWriterInitializer

When implemented by an MTOM writer, this interface ensures initialization for an MTOM writer.

System_CAPS_pubinterfaceIXmlNamespaceResolver

Provides read-only access to a set of prefix and namespace mappings.

System_CAPS_pubinterfaceIXmlTextReaderInitializer

Specifies implementation requirements for XML text readers that derive from this interface.

System_CAPS_pubinterfaceIXmlTextWriterInitializer

Specifies implementation requirements for XML text writers that derive from this interface.

DelegateDescription
System_CAPS_pubdelegateOnXmlDictionaryReaderClose

delegate for a callback method when closing the reader.

System_CAPS_pubdelegateXmlNodeChangedEventHandler

Represents the method that handles NodeChanged, NodeChanging, NodeInserted, NodeInserting, NodeRemoved and NodeRemoving events.

EnumerationDescription
System_CAPS_pubenumConformanceLevel

Specifies the amount of input or output checking that XmlReader and XmlWriter objects perform.

System_CAPS_pubenumDtdProcessing

Specifies the options for processing DTDs. The DtdProcessing enumeration is used by the XmlReaderSettings class.

System_CAPS_pubenumEntityHandling

Specifies how the XmlTextReader or XmlValidatingReader handle entities.

System_CAPS_pubenumFormatting

Specifies formatting options for the XmlTextWriter.

System_CAPS_pubenumNamespaceHandling

Specifies whether to remove duplicate namespace declarations in the XmlWriter.

System_CAPS_pubenumNewLineHandling

Specifies how to handle line breaks.

System_CAPS_pubenumReadState

Specifies the state of the reader.

System_CAPS_pubenumValidationType

Specifies the type of validation to perform.

System_CAPS_pubenumWhitespaceHandling

Specifies how white space is handled.

System_CAPS_pubenumWriteState

Specifies the state of the XmlWriter.

System_CAPS_pubenumXmlDateTimeSerializationMode

Specifies how to treat the time value when converting between string and DateTime.

System_CAPS_pubenumXmlDictionaryReaderQuotaTypes

Enumerates the configurable quota values for XmlDictionaryReaders.

System_CAPS_pubenumXmlNamespaceScope

Defines the namespace scope.

System_CAPS_pubenumXmlNodeChangedAction

Specifies the type of node change.

System_CAPS_pubenumXmlNodeOrder

Describes the document order of a node compared to a second node.

System_CAPS_pubenumXmlNodeType

Specifies the type of node.

System_CAPS_pubenumXmlOutputMethod

Specifies the method used to serialize the XmlWriter output.

System_CAPS_pubenumXmlSpace

Specifies the current xml:space scope.

System_CAPS_pubenumXmlTokenizedType

Represents the XML type for the string. This allows the string to be read as a particular XML type, for example a CDATA section type.

The System.Xml namespace supports these standards:

See the section Differences from the W3C specs for two cases in which the XML classes differ from the W3C recommendations.

The .NET Framework also provides other namespaces for XML-related operations. For a list, descriptions, and links, see the System.Xml Namespaces webpage.

The System.Xml.XmlReader and System.Xml.XmlWriter classes include a number of asynchronous methods that are based on the . These methods can be identified by the string "Async" at the end of their names. With these methods, you can write asynchronous code that's similar to your synchronous code, and you can migrate your existing synchronous code to asynchronous code easily.

  • Use the asynchronous methods in apps where there is significant network stream latency. Avoid using the asynchronous APIs for memory stream or local file stream read/write operations. The input stream, XmlTextReader, and XmlTextWriter should support asynchronous operations as well. Otherwise, threads will still be blocked by I/O operations.

  • We don't recommend mixing synchronous and asynchronous function calls, because you might forget to use the await keyword or use a synchronous API where an asynchronous one is necessary.

  • Do not set the XmlReaderSettings.Async or XmlWriterSettings.Async flag to true if you don't intend to use an asynchronous method.

  • If you forget to specify the await keyword when you call an asynchronous method, the results are non-deterministic: You might receive the result you expected or an exception.

  • When an XmlReader object is reading a large text node, it might cache only a partial text value and return the text node, so retrieving the XmlReader.Value property might be blocked by an I/O operation. Use the GetValueAsync method to get the text value in asynchronous mode, or use the ReadValueChunkAsync method to read a large text block in chunks.

  • When you use an XmlWriter object, call the FlushAsync method before calling Close to avoid blocking an I/O operation.

In two cases that involve constraints on model group schema components, the System.Xml namespace differs from the W3C recommendations.

Consistency in element declarations:

In some cases, when substitution groups are used, the System.Xml implementation does not satisfy the "Schema Component Constraint: Element Declarations Consistent," which is described in the Constraints on Model Group Schema Components section of the W3C spec.

For example, the following schema includes elements that have the same name but different types in the same content model, and substitution groups are used. This should cause an error, but System.Xml compiles and validates the schema without errors.

<?xml version="1.0" encoding="utf-8" ?> 
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified">

   <xs:element name="e1" type="t1"/>
   <xs:complexType name="t1"/>

   <xs:element name="e2" type="t2" substitutionGroup="e1"/>
      <xs:complexType name="t2">
         <xs:complexContent>
            <xs:extension base="t1">
         </xs:extension>
      </xs:complexContent>
   </xs:complexType>

   <xs:complexType name="t3">
      <xs:sequence>
         <xs:element ref="e1"/>
         <xs:element name="e2" type="xs:int"/>
      </xs:sequence>
   </xs:complexType>
</xs:schema>

In this schema, type t3 contains a sequence of elements. Because of the substitution, the reference to element e1 from the sequence can result either in element e1 of type t1 or in element e2 of type t2. The latter case would result in a sequence of two e2 elements, where one is of type t2 and the other is of type xs:int.

Unique particle attribution:

Under the following conditions, the System.Xml implementation does not satisfy the "Schema Component Constraint: Unique Particle Attribution," which is described in the Constraints on Model Group Schema Components section of the W3C spec.

  • One of the elements in the group references another element.

  • The referenced element is a head element of a substitution group.

  • The substitution group contains an element that has the same name as one of the elements in the group.

  • The cardinality of the element that references the substitution group head element and the element with the same name as a substitution group element is not fixed (minOccurs < maxOccurs).

  • The definition of the element that references the substitution group precedes the definition of the element with the same name as a substitution group element.

For example, in the schema below the content model is ambiguous and should cause a compilation error, but System.Xml compiles the schema without errors.

<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified">

  <xs:element name="e1" type="xs:int"/>
  <xs:element name="e2" type="xs:int" substitutionGroup="e1"/>

  <xs:complexType name="t3">
    <xs:sequence>
      <xs:element ref="e1" minOccurs="0" maxOccurs="1"/>
      <xs:element name="e2" type="xs:int" minOccurs="0" maxOccurs="1"/>
    </xs:sequence>
  </xs:complexType>

  <xs:element name="e3" type="t3"/>
</xs:schema>

If you try to validate the following XML against the schema above, the validation will fail with the following message: "The element 'e3' has invalid child element 'e2'." and an XmlSchemaValidationException exception will be thrown.

<e3>
  <e2>1</e2>
  <e2>2</e2>
</e3>

To work around this problem, you can swap element declarations in the XSD document. For example:

<xs:sequence>
  <xs:element ref="e1" minOccurs="0" maxOccurs="1"/>
  <xs:element name="e2" type="xs:int" minOccurs="0" maxOccurs="1"/>
</xs:sequence>

becomes this:

<xs:sequence>
  <xs:element name="e2" type="xs:int" minOccurs="0" maxOccurs="1"/>
  <xs:element ref="e1" minOccurs="0" maxOccurs="1"/>
</xs:sequence>

Here's another example of the same issue:

<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified">
   <xs:element name="e1" type="xs:string"/>
   <xs:element name="e2" type="xs:string" substitutionGroup="e1"/>

   <xs:complexType name="t3">
      <xs:sequence>
         <xs:element ref="e1" minOccurs="0" maxOccurs="1"/>
         <xs:element name="e2" type="xs:int" minOccurs="0" maxOccurs="1"/>
      </xs:sequence>
   </xs:complexType>
   <xs:element name="e3" type="t3"/>
</xs:schema>

If you try to validate the following XML against the schema above, the validation will fail with the following exception: "Unhandled Exception: System.Xml.Schema.XmlSchemaValidationException: The 'e2' el element is invalid - The value 'abc' is invalid according to its datatype 'http://www.w3.org/2001/XMLSchema:int' - The string 'abc' is not a valid Int32 value."\

<e3><e2>abc</e2></e3>

The types and members in the System.Xml namespace rely on the . The following sections discuss security issues that are specific to XML technologies. For details, see the specific classes and members mentioned, and visit the XML Developer Center for technical information, downloads, newsgroups, and other resources for XML developers.

Also note that when you use the System.Xml types and members, if the XML contains data that has potential privacy implications, you need to implement your app in a way that respects your end users' privacy.

External access

Several XML technologies have the ability to retrieve other documents during processing. For example, a document type definition (DTD) can reside in the document being parsed. The DTD can also live in an external document that is referenced by the document being parsed. The XML Schema definition language (XSD) and XSLT technologies also have the ability to include information from other files. These external resources can present some security concerns. For example, you'll want to ensure that your app retrieves files only from trusted sites, and that the file it retrieves doesn't contain malicious data.

The XmlUrlResolver class is used to load XML documents and to resolve external resources such as entities, DTDs, or schemas, and import or include directives.

You can override this class and specify the XmlResolver object to use. Use the XmlSecureResolver class if you need to open a resource that you do not control, or that is untrusted. The XmlSecureResolver wraps an XmlResolver and allows you to restrict the resources that the underlying XmlResolver has access to.

Denial of service

The following scenarios are considered to be less vulnerable to denial of service attacks because the System.Xml classes provide a means of protection from such attacks.

  • Parsing text XML data.

  • Parsing binary XML data if the binary XML data was generated by Microsoft SQL Server.

  • Writing XML documents and fragments from data sources to the file system, streams, a TextWriter, or a StringBuilder.

  • Loading documents into the Document Object Model (DOM) object if you are using an XmlReader object and DtdProcessing set to Prohibit.

  • Navigating the DOM object.

The following scenarios are not recommended if you are concerned about denial of service attacks, or if you are working in an untrusted environment.

  • DTD processing.

  • Schema processing. This includes adding an untrusted schema to the schema collection, compiling an untrusted schema, and validating by using an untrusted schema.

  • XSLT processing.

  • Parsing any arbitrary stream of user supplied binary XML data.

  • DOM operations such as querying, editing, moving sub-trees between documents, and saving DOM objects.

If you are concerned about denial of service issues or if you are dealing with untrusted sources, do not enable DTD processing. This is disabled by default on XmlReader objects that the Create method creates.

System_CAPS_noteNote

The XmlTextReader allows DTD processing by default. Use the XmlTextReader.DtdProcessing property to disable this feature.

If you have DTD processing enabled, you can use the XmlSecureResolver class to restrict the resources that the XmlReader can access. You can also design your app so that the XML processing is memory and time constrained. For example, you can configure timeout limits in your ASP.NET app.

Processing considerations

Because XML documents can include references to other files, it is difficult to determine how much processing power is required to parse an XML document. For example, XML documents can include a DTD. If the DTD contains nested entities or complex content models, it could take an excessive amount of time to parse the document.

When using XmlReader, you can limit the size of the document that can be parsed by setting the MaxCharactersInDocument property. You can limit the number of characters that result from expanding entities by setting the MaxCharactersFromEntities property. See the appropriate reference topics for examples of setting these properties.

The XSD and XSLT technologies have additional capabilities that can affect processing performance. For example, it is possible to construct an XML schema that requires a substantial amount of time to process when evaluated over a relatively small document. It is also possible to embed script blocks within an XSLT style sheet. Both cases pose a potential security threat to your app.

When creating an app that uses the XslCompiledTransform class, you should be aware of the following items and their implications:

  • XSLT scripting is disabled by default. XSLT scripting should be enabled only if you require script support and you are working in a fully trusted environment.

  • The XSLT document() function is disabled by default. If you enable the document() function, restrict the resources that can be accessed by passing an XmlSecureResolver object to the Transform method.

  • Extension objects are enabled by default. If an XsltArgumentList object that contains extension objects is passed to the Transform method, the extension objects are used.

  • XSLT style sheets can include references to other files and embedded script blocks. A malicious user can exploit this by supplying you with data or style sheets that, when executed, can cause your system to process until the computer runs low on resources.

  • XSLT apps that run in a mixed trust environment can result in style sheet spoofing. For example, a malicious user can load an object with a harmful style sheet and hand it off to another user who subsequently calls the Transform method and executes the transformation.

These security issues can be mitigated by not enabling scripting or the document() function unless the style sheet comes from a trusted source, and by not accepting XslCompiledTransform objects, XSLT style sheets, or XML source data from an untrusted source.

Exception handling

Exceptions thrown by lower level components can disclose path information that you do not want exposed to the app. Your apps must catch exceptions and process them appropriately.

Return to top
Show: