XmlSecureResolver is obsolete
The method System.Xml.XmlSecureResolver.GetEntity(Uri, String, Type) unconditionally throws an XmlException at run time. If your application utilizes XmlSecureResolver and you attempt to resolve an XML resource through it, resolution will fail with an exception.
Additionally, the entire System.Xml.XmlSecureResolver type is obsolete. All references to this type will result in a SYSLIB0047 warning at build time. If you've enabled warnings as errors, this will cause a build break if your application references XmlSecureResolver.
using System.Xml;
// Compiler warning SYSLIB0047: XmlSecureResolver type is obsolete.
XmlResolver resolver = new XmlSecureResolver(
resolver: new XmlUrlResolver(),
securityUrl: "https://www.example.com/");
// Call to XmlSecureResolver.GetEntity below throws XmlException at run time.
object entity = resolver.GetEntity(
absoluteUri: new Uri("https://www.example.com/some-entity"),
role: null,
ofObjectToReturn: null);
Previous behavior
In .NET Framework, XmlSecureResolver.GetEntity(Uri, String, Type) constructs a Code Access Security (CAS) sandbox to restrict the external XML resource resolution process. If policy is violated, a SecurityException is thrown.
In .NET Core 3.1, and .NET 6, XmlSecureResolver.GetEntity(Uri, String, Type) doesn't restrict external XML resource resolution at all. External resource resolution is allowed to proceed with no limitations.
New behavior
Starting in .NET 7, XmlSecureResolver.GetEntity(Uri, String, Type) unconditionally throws an XmlException. It does not construct a CAS sandbox and does not attempt to resolve the external resource.
Version introduced
.NET 7
Type of breaking change
This change can affect source compatibility and binary compatibility.
Reason for change
This change improves the security of the .NET ecosystem. This obsoletion moves the behavior of XmlSecureResolver from fail-dangerous (always perform resolution) to fail-safe (never perform resolution) when running on .NET 7 or later.
Recommended action
Consider instead using the newly introduced static property XmlResolver.ThrowingResolver. This property provides an XmlResolver instance that forbids external resource resolution.
using System.Xml;
// BAD: Do not use XmlSecureResolver.
// XmlResolver resolver = new XmlSecureResolver(
// resolver: new XmlUrlResolver(),
// securityUrl: "https://www.example.com/");
// GOOD: Use XmlResolver.ThrowingResolver instead.
XmlResolver resolver = XmlResolver.ThrowingResolver;
Affected APIs
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for