Compartilhar via


XML DOM Security

A version of this page is also available for

Windows Embedded CE 6.0 R3

4/8/2010

XML Core Services and Document Object Model (DOM) has the following potential security risks:

  • The DOM is designed to run over a public network, such as the Internet. If the security of the DOM is compromised, it could expose the Windows Mobile device or local network to the public network.
  • The DOM supports third party extensions. If these extensions do not use proper security and authentication procedures, they could compromise the security of the Windows Mobile device or local network.
  • If the DOM is used with Microsoft Internet Explorer or external entity references, and proper security and authentication procedures are not used, the DOM could compromise the security of the Windows Mobile device or local network.

Best Practices

Disable external references to avoid exhausting system resources

Like HTML, XML will resolve links to external data sources by default. Disabling external references will prevent the XML parser from retrieving information not contained in the XML document itself. You can disable external references by setting either of the following flags immediately after creating the DOM object.

put_resolveExternals(false);

– or –

DOM.resolveExternals = false; (for JScript)

Set a limit on the amount of data that an application or server will accept for any document

Large amounts of data can overflow system memory, which may cause system instability. Your application should check the amount of data coming into it. If the amount of incoming information exceeds the maximum amount you set, the application should fail to process the request further and it should not load the data into the DOM.

If your application supplies browsing capabilities, implement a security manager, such as the Internet Explorer Security Manager

XML uses the security zones set by URL Monikers Services (URLMON). You can access these security zones through the URLMON registry settings. You will also need to set the IObjectSafety extensions.

For more information about importing the Internet Explorer Security Manager, see About IObject Safety Extensions for Internet Explorer in the MSDN Library.

For more information about URLMON security zones, see URL Security Zones.

Default Registry Settings

URLMON security zones affect XML security. For more information about security zones, see URL Security Zones.

You should be aware of the registry settings that impact security. The registry settings documentation contains Security Note entries with information about security issues.

See Also

Other Resources

XML Core Services and Document Object Model
XML DOM Application Development