Breaking Change T1162146
Visible to All Users

Web Reporting and BI Dashboard applications: Custom data sources require registration

What Changed

The XML root node must match data source type (or its descendants) when the data source is de-serialized.

Data Source Type Root XML Node
ObjectDataSource "ObjectDataSource"
JsonDataSource "JsonDataSource"
ExcelDataSource "ExcelDataSource"
DashboardExtractDataSource "ExtractFileDataSource"
DashboardOlapDataSource "OLAPDataSource "
EFDataSource "EFDataSource"
FederationDataSource "FederationDataSource"
MongoDBDataSource "MongoDBDataSource"
SqlDataSource "SqlDataSource"
XPObjectSource "XPObjectSource"

Reasons for Change

This change protects your application from an insecure deserialization vulnerability.

Impact on Existing Apps

An exception is thrown during data source deserialization from XML in the following instances:

  • A data source implements custom serialization to XML and the root XML node does not match a DevExpress data source type and descendants (review the DevExpress data source table for a summary list).
  • DevExpress Web Report Designer and Web BI Dashboard that use custom data sources (DataComponentBase descendants).

How to Update Existing Apps

Implement and register a service that encrypts/decrypts serialized data sources (not listed in the table). Follow the steps below:

  1. Create a class that implements the IDataSourceProtectionService interface with the following methods:
    • void Protect(XElement dataSourceXElement) - Encrypts an XML element.
    • void Unprotect(XElement dataSourceXElement) - Decrypts an XML element.
  2. Register the class in the DefaultReportDesignerContainer, DefaultQueryBuilderContainer, ASP.NET Core IServiceCollection, or in the Dashboard Control using the DashboardConfigurator.SetDataSourceProtectionService method.

How to Revert to Previous Behavior

You cannot revert to the previous behavior.

Disclaimer: The information provided on DevExpress.com and affiliated web properties (including the DevExpress Support Center) is provided "as is" without warranty of any kind. Developer Express Inc disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. Please refer to the DevExpress.com Website Terms of Use for more information in this regard.

Confidential Information: Developer Express Inc does not wish to receive, will not act to procure, nor will it solicit, confidential or proprietary materials and information from you through the DevExpress Support Center or its web properties. Any and all materials or information divulged during chats, email communications, online discussions, Support Center tickets, or made available to Developer Express Inc in any manner will be deemed NOT to be confidential by Developer Express Inc. Please refer to the DevExpress.com Website Terms of Use for more information in this regard.