XmlReaderSettings.MaxCharactersFromEntities 屬性


取得或設定值,指出文件中產生自展開實體的最大可允許字元數。Gets or sets a value indicating the maximum allowable number of characters in a document that result from expanding entities.

 property long MaxCharactersFromEntities { long get(); void set(long value); };
public long MaxCharactersFromEntities { get; set; }
member this.MaxCharactersFromEntities : int64 with get, set
Public Property MaxCharactersFromEntities As Long



來自展開實體的最大可允許字元數。The maximum allowable number of characters from expanded entities. 預設值是 0。The default is 0.


下列程式碼會設定這個屬性,然後嘗試剖析包含實體的檔,而該實體的擴展大小大於設定的限制。The following code sets this property, and then attempts to parse a document that contains an entity that expands to a size greater than the set limit. 在真實世界的案例中,您會將此限制設定為夠大的值來處理有效的檔,但小到足以限制惡意檔的威脅。In a real world scenario, you would set this limit to a value large enough to handle valid documents, yet small enough to limit the threat from malicious documents.

string markup =  
@"<!DOCTYPE Root [  
  <!ENTITY anEntity ""Expands to more than 30 characters"">  
  <!ELEMENT Root (#PCDATA)>  
<Root>Content &anEntity;</Root>";  

XmlReaderSettings settings = new XmlReaderSettings();  
settings.DtdProcessing = DtdProcessing.Parse;  
settings.ValidationType = ValidationType.DTD;  
settings.MaxCharactersFromEntities = 30;  

    XmlReader reader = XmlReader.Create(new StringReader(markup), settings);  
    while (reader.Read()) { }  
catch (XmlException ex)  
Dim markup As String = _  
    "<!DOCTYPE Root [" + Environment.NewLine + _  
    "  <!ENTITY anEntity ""Expands to more than 30 characters"">" + Environment.NewLine + _  
    "  <!ELEMENT Root (#PCDATA)>" + Environment.NewLine + _  
    "]>" + Environment.NewLine + _  
    "<Root>Content &anEntity;</Root>"  

Dim settings As XmlReaderSettings = New XmlReaderSettings()  
settings.DtdProcessing = DtdProcessing.Parse;  
settings.ValidationType = ValidationType.DTD  
settings.MaxCharactersFromEntities = 30  

    Dim reader As XmlReader = XmlReader.Create(New StringReader(markup), settings)  
    While (reader.Read())  
    End While  
Catch ex As XmlException  
End Try  

這個範例會產生下列輸出:This example produces the following output:

There is an error in XML document (MaxCharactersFromEntities, ).  


零 (0) 值表示擴充實體所產生的字元數沒有限制。A zero (0) value means no limits on the number of characters that result from expanding entities. 非零值會指定擴充實體可能產生的最大字元數。A non-zero value specifies the maximum number of characters that can result from expanding entities.

如果讀取器嘗試讀取包含實體的檔,使擴充的大小超過這個屬性,將會擲回 XmlExceptionIf the reader attempts to read a document that contains entities such that the expanded size will exceed this property, an XmlException will be thrown.

這個屬性可讓您減少阻斷服務攻擊,攻擊者會透過擴充實體來提交嘗試超過記憶體限制的 XML 檔。This property allows you to mitigate denial of service attacks where the attacker submits XML documents that attempt to exceed memory limits via expanding entities. 藉由限制擴充實體所產生的字元,您就可以偵測攻擊並可靠地復原。By limiting the characters that result from expanded entities, you can detect the attack and recover reliably.