The purpose of SharpSerializer is serializing/deserializing data in an easy way in a trusted environment. Security considerations are not the primary goal.

Tampering the serialized xml could result with deserializing malicious types, memory buffer overrun, deadlock owing to recurrence loops etc.

To avoid these problems the serialized xml should be signed or signed and encrypted if the serialized data is secret. Before deserialization the xml signature should be validated.

For more granular control over deserialization process, there are other serializers like NetDataContractSerializer which validate data before deserialization in a declarative (using attributes) or imperative way.

Last edited Apr 24 at 7:03 PM by polo, version 1


No comments yet.