What Changed
The XML root node must match data source type (or its descendants) when the data source is de-serialized.
Data Source Type | Root XML Node |
---|---|
ObjectDataSource | "ObjectDataSource" |
JsonDataSource | "JsonDataSource" |
ExcelDataSource | "ExcelDataSource" |
DashboardExtractDataSource | "ExtractFileDataSource" |
DashboardOlapDataSource | "OLAPDataSource " |
EFDataSource | "EFDataSource" |
FederationDataSource | "FederationDataSource" |
MongoDBDataSource | "MongoDBDataSource" |
SqlDataSource | "SqlDataSource" |
XPObjectSource | "XPObjectSource" |
Reasons for Change
This change protects your application from an insecure deserialization vulnerability.
Impact on Existing Apps
An exception is thrown during data source deserialization from XML in the following instances:
- A data source implements custom serialization to XML and the root XML node does not match a DevExpress data source type and descendants (review the DevExpress data source table for a summary list).
- DevExpress Web Report Designer and Web BI Dashboard that use custom data sources (
DataComponentBase
descendants).
How to Update Existing Apps
Implement and register a service that encrypts/decrypts serialized data sources (not listed in the table). Follow the steps below:
- Create a class that implements the
IDataSourceProtectionService
interface with the following methods:- void
Protect(XElement dataSourceXElement)
- Encrypts an XML element. - void
Unprotect(XElement dataSourceXElement)
- Decrypts an XML element.
- void
- Register the class in the DefaultReportDesignerContainer, DefaultQueryBuilderContainer, ASP.NET Core
IServiceCollection
, or in the Dashboard Control using theDashboardConfigurator.SetDataSourceProtectionService
method.
How to Revert to Previous Behavior
You cannot revert to the previous behavior.