API Proposal: XmlResolver.NullResolver #73637
Description
API Proposal: XmlResolver.NullResolver
There is no publicly exposed API for "please give me an XmlResolver that forbids all external entity resolution." By convention, some APIs that accept an XmlResolver parameter interpret nullptr to mean "don't allow external entity resolution," but this is not 100% consistent across the API surface. (XmlReaderSettings has particularly convoluted code here.)
To make code clearer, we should have an API to denote explicitly "I want to forbid external entity resolution." This eliminates ambiguity at the call site. It also provides an offramp for people who were referencing XmlSecureResolver in an effort to address static analyzer warnings.
// System.Xml.ReaderWriter.dll
namespace System.Xml
{
public abstract partial class XmlResolver
{
// NEW PROPOSED API
public static System.Xml.XmlResolver NullResolver { get { throw null; } }
// EXISTING API, for reference
protected XmlResolver() { }
public virtual System.Net.ICredentials Credentials { set { } }
public abstract object? GetEntity(System.Uri absoluteUri, string? role, System.Type? ofObjectToReturn);
public virtual System.Threading.Tasks.Task<object> GetEntityAsync(System.Uri absoluteUri, string? role, System.Type? ofObjectToReturn) { throw null; }
public virtual System.Uri ResolveUri(System.Uri? baseUri, string? relativeUri) { throw null; }
public virtual bool SupportsType(System.Uri absoluteUri, System.Type? type) { throw null; }
}
}Risks
Perhaps the word "null" is confusing in this context? This API provides a fairly typical "null object pattern" implementation, and we do have other instances of this across the extensions namespace (e.g., NullLogger, NullFileProvider).