XmlDataDocument - Improper restriction of XML

Question

I have a project scanner complaining with a Warning about

XmlDataDocument serializedContent = new XmlDataDocument();

and

serializedContent.Load(objStream);

and giving this recommendation to use:

The best way to prevent XXE attacks is to disable XML entity resolution by disabling inline DD setting DtdProcessing to DtdProcessing.Prohibit or by disabling XML Entity resolution setting the XmlReaderSettings.XmlResolver property to null:

XmlReaderSettings settings = new XmlReaderSettings () ;
settings.DtdProcessing = DtdProcessing. Prohibit;
settings.XmlResolver = null;
XmlReader reader = XmlReader.Create(stream, settings);

Here's the code that I have:

[Serializable]
...

XmlTextWriter objSerializer = new XmlSerializer(...);
MemoryStream objStream = new MemoryStream();
XmlTextWriter objwriter = null;

XmlDataDocument objSerializedContent = new XmlDataDocument();    // it complains here

objWriter = new XmlTextWriter (objStream, System.Text.Encoding.UTF8);

...

objSerializedContent.Load(objStream);    // it complains here

How can I apply that scan recommendation using reader if I'm using XmlTextWriter & XmlDataDocument?

Answer 1

If you use

XmlReaderSettings settings = new XmlReaderSettings () ;
settings.DtdProcessing = DtdProcessing. Prohibit;
settings.XmlResolver = null;

and

using (XmlReader xr = XmlReader.Create(objStream, settings)) {
  objSerializedContent.Load(xr);
}

instead of objSerializedContent.Load(objStream) your code uses an XmlReader over the MemoryStream where the XmlReader has the settings you want or need.