.NET: What is the purpose of the ProhibitDtd property in XmlReaderSettings? Why is DTD a security i
Posted
by Cheeso
on Stack Overflow
See other posts from Stack Overflow
or by Cheeso
Published on 2010-03-31T20:20:09Z
Indexed on
2010/03/31
20:23 UTC
Read the original article
Hit count: 344
The documentation says:
When set to true, the XmlReader throws an XmlException when any DTD content is encountered. Do not enable DTD processing if you are concerned about Denial of Service issues or if you are dealing with untrusted sources.
If you have DTD processing enabled, you can use the XmlSecureResolver to restrict the resources that the XmlReader can access. You can also design your application so that the XML processing is memory and time constrained. For example, configure time-out limits in your ASP.NET application.
Can someone please explain the issue?
Why would a reader application want to prohibit the retrieval of a DTD? Where is the denial-of-service issue, if it is a reading application? What is the "trust" issue that is mentioned?
Thanks
© Stack Overflow or respective owner