System.Xml.Schema.XmlSchemaSet class
This article provides supplementary remarks to the reference documentation for this API.
Important
- Do not use schemas from unknown or untrusted sources or locations. Doing so will compromise the security of your code.
- XML schemas (including inline schemas) are inherently vulnerable to denial of service attacks; do not accept them in untrusted scenarios.
- Schema validation error messages and exceptions may expose sensitive information about the content model or URI paths to the schema file. Be careful not to expose this information to untrusted callers.
- Additional security considerations are covered in the "Security Considerations" section.
XmlSchemaSet is a cache or library where you can store XML Schema definition language (XSD) schemas. XmlSchemaSet improves performance by caching schemas in memory instead of accessing them from a file or a URL. Each schema is identified by the namespace URI and location that was specified when the schema was added to the set. You use the XmlReaderSettings.Schemas property to assign the XmlSchemaSet object an XML reader should use for data validation.
Security considerations
Do not use schemas from unknown or untrusted sources. Doing so will compromise the security of your code. External namespaces or locations referenced in include, import, and redefine elements of a schema are resolved with respect to the base URI of the schema that includes or imports them. For example, if the base URI of the including or importing schema is empty or
null
, the external locations are resolved with respect to the current directory. The XmlUrlResolver class is used to resolve external schemas by default. To disable resolution of include, import, and redefine elements of a schema, set the XmlSchemaSet.XmlResolver property tonull
.The XmlSchemaSet class uses the System.Text.RegularExpressions.Regex class to parse and match regular expressions in an XML schema. Validation of pattern facets with regular expressions in an XML schema may involve increased CPU usage and should be avoided in high availability scenarios.
Exceptions raised as a result of using the XmlSchemaSet class, such as the XmlSchemaException class may contain sensitive information that should not be exposed in untrusted scenarios. For example, the SourceUri property of an XmlSchemaException returns the URI path to the schema file that caused the exception. The SourceUri property should not be exposed in untrusted scenarios. Exceptions should be properly handled so that this sensitive information is not exposed in untrusted scenarios.
Examples
The following example validates an XML file using schemas stored in the XmlSchemaSet. The namespace in the XML file, urn:bookstore-schema
, identifies which schema in the XmlSchemaSet to use for validation. Output from the example shows that the XML file has two schema violations:
The first <book> element contains an <author> element but no <title> or <price> element.
The <author> element in the last <book> element is missing a <first-name> and <last-name> element and instead has an invalid <name> element.
using System;
using System.Xml;
using System.Xml.Schema;
using System.IO;
public class Sample
{
public static void Main() {
// Create the XmlSchemaSet class.
XmlSchemaSet sc = new XmlSchemaSet();
// Add the schema to the collection.
sc.Add("urn:bookstore-schema", "books.xsd");
// Set the validation settings.
XmlReaderSettings settings = new XmlReaderSettings();
settings.ValidationType = ValidationType.Schema;
settings.Schemas = sc;
settings.ValidationEventHandler += ValidationCallBack;
// Create the XmlReader object.
XmlReader reader = XmlReader.Create("booksSchemaFail.xml", settings);
// Parse the file.
while (reader.Read());
}
// Display any validation errors.
private static void ValidationCallBack(object sender, ValidationEventArgs e) {
Console.WriteLine($"Validation Error:\n {e.Message}\n");
}
}
// The example displays output like the following:
// Validation Error:
// The element 'book' in namespace 'urn:bookstore-schema' has invalid child element 'author'
// in namespace 'urn:bookstore-schema'. List of possible elements expected: 'title' in
// namespace 'urn:bookstore-schema'.
//
// Validation Error:
// The element 'author' in namespace 'urn:bookstore-schema' has invalid child element 'name'
// in namespace 'urn:bookstore-schema'. List of possible elements expected: 'first-name' in
// namespace 'urn:bookstore-schema'.
Imports System.Xml
Imports System.Xml.Schema
Imports System.IO
Public Module Sample
Public Sub Main()
' Create the XmlSchemaSet class.
Dim sc as XmlSchemaSet = new XmlSchemaSet()
' Add the schema to the collection.
sc.Add("urn:bookstore-schema", "books.xsd")
' Set the validation settings.
Dim settings as XmlReaderSettings = new XmlReaderSettings()
settings.ValidationType = ValidationType.Schema
settings.Schemas = sc
AddHandler settings.ValidationEventHandler, AddressOf ValidationCallBack
' Create the XmlReader object.
Dim reader as XmlReader = XmlReader.Create("booksSchemaFail.xml", settings)
' Parse the file.
While reader.Read()
End While
End Sub
' Display any validation errors.
Private Sub ValidationCallBack(sender as object, e as ValidationEventArgs)
Console.WriteLine($"Validation Error:{vbCrLf} {e.Message}")
Console.WriteLine()
End Sub
End Module
' The example displays output like the following:
' Validation Error:
' The element 'book' in namespace 'urn:bookstore-schema' has invalid child element 'author'
' in namespace 'urn:bookstore-schema'. List of possible elements expected: 'title' in
' namespace 'urn:bookstore-schema'.
'
' Validation Error:
' The element 'author' in namespace 'urn:bookstore-schema' has invalid child element 'name'
' in namespace 'urn:bookstore-schema'. List of possible elements expected: 'first-name' in
' namespace 'urn:bookstore-schema'.
Input
The sample uses the following two input files.
booksSchemaFail.xml:
<?xml version='1.0'?>
<bookstore xmlns="urn:bookstore-schema">
<book>
<author>
<first-name>Benjamin</first-name>
<last-name>Franklin</last-name>
</author>
</book>
<book genre="novel">
<title>The Confidence Man</title>
<author>
<first-name>Herman</first-name>
<last-name>Melville</last-name>
</author>
<price>11.99</price>
</book>
<book genre="philosophy">
<title>The Gorgias</title>
<author>
<name>Plato</name>
</author>
<price>9.99</price>
</book>
</bookstore>
books.xsd:
<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns="urn:bookstore-schema"
elementFormDefault="qualified"
targetNamespace="urn:bookstore-schema">
<xsd:element name="bookstore" type="bookstoreType"/>
<xsd:complexType name="bookstoreType">
<xsd:sequence maxOccurs="unbounded">
<xsd:element name="book" type="bookType"/>
</xsd:sequence>
</xsd:complexType>
<xsd:complexType name="bookType">
<xsd:sequence>
<xsd:element name="title" type="xsd:string"/>
<xsd:element name="author" type="authorName"/>
<xsd:element name="price" type="xsd:decimal"/>
</xsd:sequence>
<xsd:attribute name="genre" type="xsd:string"/>
</xsd:complexType>
<xsd:complexType name="authorName">
<xsd:sequence>
<xsd:element name="first-name" type="xsd:string"/>
<xsd:element name="last-name" type="xsd:string"/>
</xsd:sequence>
</xsd:complexType>
</xsd:schema>