System.Xml.XmlTextReader class
This article provides supplementary remarks to the reference documentation for this API.
Note
We recommend that you create XmlReader instances by using the XmlReader.Create method to take advantage of new functionality.
XmlTextReader provides forward-only, read-only access to a stream of XML data. The current node refers to the node on which the reader is positioned. The reader is advanced using any of the read methods and properties reflect the value of the current node.
This class implements XmlReader and conforms to the W3C Extensible Markup Language (XML) 1.0 and the Namespaces in XML recommendations. XmlTextReader provides the following functionality:
Enforces the rules of well-formed XML.
XmlTextReaderdoes not provide data validation.Checks that
DocumentTypenodes are well-formed.XmlTextReaderchecks the DTD for well-formedness, but does not validate using the DTD.For nodes where NodeType is
XmlNodeType.EntityReference, a single emptyEntityReferencenode is returned (that is, the Value property isString.Empty).
Note
The actual declarations of entities in the DTD are called Entity nodes. When you refer to these nodes in your data, they are called EntityReference nodes.
- Does not expand default attributes.
Because the XmlTextReader does not perform the extra checks required for data validation, it provides a fast well-formedness parser.
To perform data validation, use a validating XmlReader.
To read XML data from an XmlDocument, use XmlNodeReader.
XmlTextReader throws an XmlException on XML parse errors. After an exception is thrown the state of the reader is not predictable. For example, the reported node type may be different than the actual node type of the current node. Use the ReadState property to check whether a reader is in error state.
Security considerations
The following are things to consider when using the XmlTextReader class.
Exceptions thrown the XmlTextReader can disclose path information that you do not want bubbled up to the application. Your applications must catch exceptions and process them appropriately.
DTD processing is enabled by default. Disable DTD processing if you are concerned about Denial of Service issues or if you are dealing with untrusted sources. Set the DtdProcessing property to Prohibit to disable DTD processing.
If you have DTD processing enabled, you can use the XmlSecureResolver to restrict the resources that the XmlTextReader can access. You can also design your application so that the XML processing is memory and time constrained. For example, configure time-out limits in your ASP.NET application.
XML data can include references to external resources such as a DTD file. By default external resources are resolved using an XmlUrlResolver object with no user credentials. You can secure this further by doing one of the following:
Restrict the resources that the XmlTextReader can access by setting the XmlResolver property to an XmlSecureResolver object.
Do not allow the XmlReader to open any external resources by setting the XmlResolver property to
null.
XML data can contain a large number of attributes, namespace declarations, nested elements and so on that require a substantial amount of time to process. To limit the size of the input that is sent to the XmlTextReader, create a custom IStream implementation and supply it the XmlTextReader.
The ReadValueChunk method can be used to handle large streams of data. This method reads a small number of characters at a time instead of allocating a single string for the whole value.
By default general entities are not expanded. General entities are expanded when you call the ResolveEntity method.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for