XML DOM Security (Windows CE 5.0)

Send Feedback

XML Core Services and Document Object Model (DOM) has the following potential security risks:

  • The DOM is designed to run over a public network, such as the Internet. If the security of the DOM is compromised, it could expose the Windows CE-based device or local network to the public network.
  • The DOM supports third party extensions. If these extensions do not use proper security and authentication procedures, they could compromise the security of the Windows CE-based device or local network.
  • If the DOM is used with Microsoft® Internet Explorer or external entity references, and proper security and authentication procedures are not used, the DOM could compromise the security of the Windows CE-based device or local network.

Best Practices

Disable external references to avoid exhausting system resources

Like HTML, XML will resolve links to external data sources by default. Disabling external references will prevent the XML parser from retrieving information not contained in the XML document itself. You can disable external references by setting either of the following flags immediately after creating the DOM object.

put_resolveExternals(false);

– or –

DOM.resolveExternals = false; (for JScript)

Set a limit on the amount of data that an application or server will accept for any document

Large amounts of data can overflow system memory, which may cause system instability. Your application should check the amount of data coming into it. If the amount of incoming information exceeds the maximum amount you set, the application should fail to process the request further and it should not load the data into the DOM.

If your application supplies browsing capabilities, implement a security manager, such as the Internet Explorer Security Manager

XML uses the security zones set by URL Monikers Services (URLMON). You can access these security zones through the URLMON registry settings. You will also need to set the IObjectSafety extensions.

For more information about importing the Internet Explorer Security Manager, see "IObject Safety Extensions for Internet Explorer" on MSDN®.

For more information about URLMON security zones, see URL Security Zones.

Default Registry Settings

URLMON security zones affect XML security. For more information about security zones, see URL Security Zones.

You should be aware of the registry settings that impact security. The registry settings documentation contains Security Note entries with information about security issues.

For general XML registry information, see XML Core Services Registry Settings.

See Also

XML Core Services and Document Object Model | XML DOM Application Development | Enhancing the Security of a Device

Send Feedback on this topic to the authors

Feedback FAQs

© 2006 Microsoft Corporation. All rights reserved.