docs
docs copied to clipboard
[Breaking change]: XmlSecureResolver obsolete as of .NET 7 RC1
Breaking change notice
The type System.Xml.XmlSecureResolver
is obsolete as warning. The method System.Xml.XmlSecureResolver.GetEntity
unconditionally throws XmlException
.
Description
The method System.Xml.XmlSecureResolver.GetEntity
will unconditionally throw an XmlException
at runtime. If your application utilizes XmlSecureResolver
and you attempt to resolve an entity through it, entity resolution will fail with an exception.
Additionally, the entirety of the type System.Xml.XmlSecureResolver
is obsolete as warning. All references to this type will inject a SYSLIB0047
warning into your build. If you have enabled warnings as errors, this will cause a build break if your application references XmlSecureResolver
.
using System.Xml;
// Compiler warning SYSLIB0047: XmlSecureResolver type is obsolete.
XmlResolver resolver = new XmlSecureResolver(
resolver: new XmlUrlResolver(),
securityUrl: "https://www.example.com/");
// Call to XmlSecureResolver.GetEntity below throws XmlException at runtime.
object entity = resolver.GetEntity(
absoluteUri: new Uri("https://www.example.com/some-entity"),
role: null,
ofObjectToReturn: null);
Version introduced
.NET 7 RC1
Previous behavior
In .NET Framework, XmlSecureResolver.GetEntity
constructs a Code Access Security (CAS) sandbox to restrict the external entity resolution process. If policy is violated, SecurityException
is thrown.
In .NET Core 3.1, .NET 6, and .NET 7 (prior to RC1), XmlSecureResolver.GetEntity
does not restrict external entity resolution at all. External entity resolution is allowed to proceed with no limitations.
New behavior
In .NET 7 RC1, XmlSecureResolver.GetEntity
unconditionally throws XmlException
. It does not construct a CAS sandbox and does not attempt to resolve the external entity.
Type of breaking change
Source incompatible: Source code may encounter a breaking change in behavior when targeting the new runtime/component/SDK, such as compile errors or different run-time behavior.
Reason for change
This change improves the security of the .NET ecosystem. This moves the behavior of XmlSecureResolver
from fail-dangerous (always perform resolution) to fail-safe (never perform resolution) when running on .NET 7.
Recommended action
Consider instead using the newly introduced XmlResolver.ThrowingResolver
static property. That property provides an XmlResolver
instance which explicitly states "I do not want to allow any external entity resolution to occur."
using System.Xml;
// BAD: Do not use XmlSecureResolver.
// XmlResolver resolver = new XmlSecureResolver(
// resolver: new XmlUrlResolver(),
// securityUrl: "https://www.example.com/");
// GOOD: Use XmlResolver.ThrowingResolver instead.
XmlResolver resolver = XmlResolver.ThrowingResolver;
The documentation for the ThrowingResolver
property also provides sample code for bringing the same behavior to projects targeting earlier versions of .NET.
Feature area
XML, XSLT
Affected APIs
- The type
System.Xml.XmlSecureResolver
(source breaking change) - The method
System.Xml.XmlSecureResolver.GetEntity
(runtime behavioral breaking change)