json.net支持将JSON转换为XML。因此,我尝试了这样的简单代码:
string xml = @"<?xml version='1.0' standalone='no'?>
<!DOCTYPE notes [
<!ENTITY ent 'Sample text'>
]>
<notes>
<note>&ent;</note>
</notes>";
XmlDocument doc = new XmlDocument();
doc.LoadXml(xml);
string json = JsonConvert.SerializeXmlNode(doc);
Console.WriteLine(json);
结果是有例外:
Newtonsoft.Json.JsonSerializationException:
Unexpected XmlNodeType when getting node name: EntityReference
我找不到有关(非)支持实体的任何信息,所以也许我做错了什么?
例外是解释性的:JSON.NET显然没有实现XmlEntityReference节点转换为JSON。这是用于表示&ent;实体参考的XmlNode子类型。
为了避免在阅读XML时需要扩展实体的限制,例如:
var settings = new XmlReaderSettings
{
// Allow processing of DTD
DtdProcessing = DtdProcessing.Parse,
// On older versions of .Net instead set
//ProhibitDtd = false,
// But for security, prevent DOS attacks by limiting the total number of characters that can be expanded to something sane.
MaxCharactersFromEntities = (long)1e7,
// And for security, disable resolution of entities from external documents.
XmlResolver = null,
};
XmlDocument doc = new XmlDocument();
using (var textReader = new StringReader(xml))
using (var xmlReader = XmlReader.Create(textReader, settings))
{
doc.Load(xmlReader);
}
string json = JsonConvert.SerializeXmlNode(doc, Newtonsoft.Json.Formatting.Indented);
Console.WriteLine(json);
注意:
不受信任的XML文件有可能通过巧妙地制作的DTD实体和实体参考来强制拒绝服务攻击,如下所示。将
XmlReaderSettings.MaxCharactersFromEntities设置为合理的东西应该减轻。此特定值是从
XDocument.Load()的参考源中获取的。修改以满足您的需求。类似地设置
XmlReaderSettings.XmlResolver = null阻止了不信任的XML向外部资源生成意外请求。
,或者您可以切换到XDocument API,其中始终扩展实体,默认情况下安全设置更合适:
var doc = XDocument.Parse(xml);
string json = JsonConvert.SerializeXNode(doc, Newtonsoft.Json.Formatting.Indented);
Console.WriteLine(json);
工作.NET小提琴表明&ent;节点被扩展到其值Sample text:
{
"?xml": {
"@version": "1.0",
"@standalone": "no"
},
"!DOCTYPE": {
"@name": "notes",
"@internalSubset": "n <!ENTITY ent 'Sample text'>n "
},
"notes": {
"note": "Sample text"
}
}