Re: Re: Serious Security issue with broken - Microsoft's .Net XML Serialization API
there is an attribute in .net to serialize all your attributes... "long" type
may not be serializable by default (no idea why)...
example :
[XmlRootAttribute("item", IsNullable = false)]
public class MenuData
{
[XmlAttribute("Label")]
public string MenuLabel = string.Empty;
[XmlAttribute("Link")]
public string MenuLink = string.Empty;
[XmlArrayAttribute("Links", IsNullable=false)]
public string[] MenuLinks;
public MenuData()
{
}
}
[XmlRootAttribute("Menu", IsNullable = false )]
public class Menu
{
[XmlArrayAttribute("Items")]
public MenuData []MenuItems;
public Menu()
{
}
}
public void SaveMenu()
{
XmlSerializer serializer = new
XmlSerializer(typeof(Menu));
TextWriter writer = new StreamWriter(MenuFile);
serializer.Serialize(writer, myMenu);
writer.Close();
}
private void GetMenu()
{
XmlSerializer serializer = new
XmlSerializer(typeof(Menu));
FileStream fs = new FileStream(MenuFile,
FileMode.Open,System.IO.FileAccess.Read);
myMenu = (Menu)serializer.Deserialize(fs);
fs.Close();
}
ouput will be something like :
<?xml version="1.0" encoding="utf-8"?>
<Menu xmlns:xsd="http://www.w3.org/2001/XMLSchema";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";>
<Items>
<MenuData Label="Quit" Link="/logoff.aspx" />
<MenuData Label="Notify users" Link="/notify.aspx" />
<MenuData Label="Admin" Link="/admin/login.aspx">
<Links>
<string>/admin/subpage.aspx</string>
<string>/admin/otherpage.aspx</string>
</Links>
</MenuData>
<MenuData Label="Users" Link="/userlist.aspx" />
</Items>
</Menu>
this works..... I don't see any security issue !! some attributes won't be
serializable by default...