System.Xml.XmlReaderSettings.Schemas property

This article provides supplementary remarks to the reference documentation for this API.

This article pertains to the Schemas property.

Important

  • Do not use schemas from unknown or untrusted sources or locations. Doing so compromises the security of your code.
  • XML schemas (including inline schemas) are inherently vulnerable to denial of service attacks; do not accept them in untrusted scenarios.
  • Schema validation error messages and exceptions may expose sensitive information about the content model or URI paths to the schema file. Be careful not to expose this information to untrusted callers.
  • For additional information, see the "Security considerations" section.

The XmlSchemaSet class only supports XML Schema definition language (XSD) schemas. XmlReader instances created by the Create method cannot be configured to enable XML-Data Reduced (XDR) schema validation.

Security considerations

  • Do not use schemas from unknown or untrusted sources. Doing so will compromise the security of your code. The XmlUrlResolver class is used to resolve external schemas by default. To disable resolution of include, import, and redefine elements of a schema, set the XmlSchemaSet.XmlResolver property to null.

  • Exceptions raised as a result of using the XmlSchemaSet class, such as the XmlSchemaException class may contain sensitive information that should not be exposed in untrusted scenarios. For example, the SourceUri property of an XmlSchemaException returns the URI path to the schema file that caused the exception. The SourceUri property should not be exposed in untrusted scenarios. Exceptions should be properly handled so that this sensitive information is not exposed in untrusted scenarios.