See Also
 Important: |
|---|
| This is retired content. This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist. |
XML Core Services and Document Object Model (DOM) has the following potential security risks:
- The DOM is designed to run over a public network, such as the
Internet. If the security of the DOM is compromised, it could
expose the Windows Mobile device or local network to the public
network.
- The DOM supports third party extensions. If these extensions do
not use proper security and authentication procedures, they could
compromise the security of the Windows Mobile device or local
network.
- If the DOM is used with Microsoft Internet Explorer or external
entity references, and proper security and authentication
procedures are not used, the DOM could compromise the security of
the Windows Mobile device or local network.
Best Practices
Disable external references to
avoid exhausting system resources
Like HTML, XML will resolve links to external data sources by default. Disabling external references will prevent the XML parser from retrieving information not contained in the XML document itself. You can disable external references by setting either of the following flags immediately after creating the DOM object.
put_resolveExternals(false);
– or –
DOM.resolveExternals = false;(for JScript)
Set a limit on the amount of data
that an application or server will accept for any document
Large amounts of data can overflow system memory, which may cause system instability. Your application should check the amount of data coming into it. If the amount of incoming information exceeds the maximum amount you set, the application should fail to process the request further and it should not load the data into the DOM.
If your application supplies
browsing capabilities, implement a security manager, such as the
Internet Explorer Security Manager
XML uses the security zones set by URL Monikers Services (URLMON). You can access these security zones through the URLMON registry settings. You will also need to set the IObjectSafetyextensions.
For more information about importing the Internet
Explorer Security Manager, see
For more information about URLMON security zones, see URL Security Zones.
Default Registry Settings
URLMON security zones affect XML security. For more information about security zones, see URL Security Zones.
You should be aware of the registry settings that impact security. The registry settings documentation contains Security Noteentries with information about security issues.