XmlSecureResolver is obsolete

Article
11/08/2022

The method System.Xml.XmlSecureResolver.GetEntity(Uri, String, Type) unconditionally throws an XmlException at run time. If your application utilizes XmlSecureResolver and you attempt to resolve an XML resource through it, resolution will fail with an exception.

Additionally, the entire System.Xml.XmlSecureResolver type is obsolete. All references to this type will result in a SYSLIB0047 warning at build time. If you've enabled warnings as errors, this will cause a build break if your application references XmlSecureResolver.

using System.Xml;

// Compiler warning SYSLIB0047: XmlSecureResolver type is obsolete.
XmlResolver resolver = new XmlSecureResolver(
    resolver: new XmlUrlResolver(),
    securityUrl: "https://www.example.com/");

// Call to XmlSecureResolver.GetEntity below throws XmlException at run time.
object entity = resolver.GetEntity(
    absoluteUri: new Uri("https://www.example.com/some-entity"),
    role: null,
    ofObjectToReturn: null);

Previous behavior

In .NET Framework, XmlSecureResolver.GetEntity(Uri, String, Type) constructs a Code Access Security (CAS) sandbox to restrict the external XML resource resolution process. If policy is violated, a SecurityException is thrown.

In .NET Core 3.1, and .NET 6, XmlSecureResolver.GetEntity(Uri, String, Type) doesn't restrict external XML resource resolution at all. External resource resolution is allowed to proceed with no limitations.

New behavior

Starting in .NET 7, XmlSecureResolver.GetEntity(Uri, String, Type) unconditionally throws an XmlException. It does not construct a CAS sandbox and does not attempt to resolve the external resource.

Version introduced

.NET 7

Type of breaking change

This change can affect source compatibility and binary compatibility.

Reason for change

This change improves the security of the .NET ecosystem. This obsoletion moves the behavior of XmlSecureResolver from fail-dangerous (always perform resolution) to fail-safe (never perform resolution) when running on .NET 7 or later.

Recommended action

Consider instead using the newly introduced static property XmlResolver.ThrowingResolver. This property provides an XmlResolver instance that forbids external resource resolution.

using System.Xml;

// BAD: Do not use XmlSecureResolver.
// XmlResolver resolver = new XmlSecureResolver(
//     resolver: new XmlUrlResolver(),
//     securityUrl: "https://www.example.com/");

// GOOD: Use XmlResolver.ThrowingResolver instead.
XmlResolver resolver = XmlResolver.ThrowingResolver;

Share via