Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>If you simply load the XAML without taking any precautions there are two potential concerns:</p> <ol> <li>The XAML can call methods on your objects using "x:Static" and "ObjectDataSource"</li> <li>The XAML can incorporate HTML and images from arbitrary Uris, so if there is a bug in the HTML-processing or image-processing code, malware could exploit it</li> </ol> <p>The solution is twofold:</p> <ol> <li>Limit the classes that can be instantiated.</li> <li>Restrict the setting of Uri properties to relative sources only.</li> </ol> <p><strong>Limiting the classes that can be instantiated</strong></p> <p>Fortunately there are only a limited number of places types can appear: Element names, Attached-property names, Markup extensions, properties of type "Type". By disallowing any but the standard type extensions, it is quite simple to scan for all of usages and built a complete list of types referenced in the XAML. This can be checked against a whitelist of known-safe types. Any types referenced that aren't on the safe list cause the XAML to be rejected.</p> <p>Note: The built-in XamlReader doesn't allow you to provide a custom IXamlTypeResolver. I use an enhanced XamlReader I wrote that that allows a custom IXamlTypeResolver, so I can actually detect every type that is referenced in the XAML at load time and run time without doing any parsing at all: Just fail to resolve any type type not on the whitelist.</p> <p><strong>Restricting the setting of Uri properties</strong></p> <p>Again the rigid structure of XAML comes to our aid. It can easily be scanned to determine every property setter that will be called and the value or binding to be set (don't forget styles and attached properties). The XAML can be rejected if any absolute Uri except a pack Uri is used. Attempts to set a Uri using a markup extension would be similarly rejected.</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload