Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The method System.Xml.XmlSecureResolver.GetEntity(Uri, String, Type) unconditionally throws an XmlException at run time. If your application utilizes XmlSecureResolver and you attempt to resolve an XML resource through it, resolution will fail with an exception.
Additionally, the entire System.Xml.XmlSecureResolver type is obsolete. All references to this type will result in a SYSLIB0047 warning at build time. If you've enabled warnings as errors, this will cause a build break if your application references XmlSecureResolver.
using System.Xml;
// Compiler warning SYSLIB0047: XmlSecureResolver type is obsolete.
XmlResolver resolver = new XmlSecureResolver(
resolver: new XmlUrlResolver(),
securityUrl: "https://www.example.com/");
// Call to XmlSecureResolver.GetEntity below throws XmlException at run time.
object entity = resolver.GetEntity(
absoluteUri: new Uri("https://www.example.com/some-entity"),
role: null,
ofObjectToReturn: null);
In .NET Framework, XmlSecureResolver.GetEntity(Uri, String, Type) constructs a Code Access Security (CAS) sandbox to restrict the external XML resource resolution process. If policy is violated, a SecurityException is thrown.
In .NET Core 3.1, and .NET 6, XmlSecureResolver.GetEntity(Uri, String, Type) doesn't restrict external XML resource resolution at all. External resource resolution is allowed to proceed with no limitations.
Starting in .NET 7, XmlSecureResolver.GetEntity(Uri, String, Type) unconditionally throws an XmlException. It does not construct a CAS sandbox and does not attempt to resolve the external resource.
.NET 7
This change can affect source compatibility and binary compatibility.
This change improves the security of the .NET ecosystem. This obsoletion moves the behavior of XmlSecureResolver from fail-dangerous (always perform resolution) to fail-safe (never perform resolution) when running on .NET 7 or later.
Consider instead using the newly introduced static property XmlResolver.ThrowingResolver. This property provides an XmlResolver instance that forbids external resource resolution.
using System.Xml;
// BAD: Do not use XmlSecureResolver.
// XmlResolver resolver = new XmlSecureResolver(
// resolver: new XmlUrlResolver(),
// securityUrl: "https://www.example.com/");
// GOOD: Use XmlResolver.ThrowingResolver instead.
XmlResolver resolver = XmlResolver.ThrowingResolver;
Collaborate with us on GitHub
The source for this content can be found on GitHub, where you can also create and review issues and pull requests. For more information, see our contributor guide.
.NET feedback
.NET is an open source project. Select a link to provide feedback: