Out of the Angle Brackets
Upgrading to MSXML 6.0. 1
1. Abstract 1
2. Installation & Upgrade. 2
3. Security Migration – Understanding Off-By-Default 3
4. Improving W3C XSD 1.0 Conformance & Compatibility with System.Xml 2.0: Changes to the XmlSchemaCache: 7
5. Obsolete features/Classes. 8
Microsoft Core XML Services (MSXML) 6.0 is the current version of the core XML stack in the COM / Scripting environment. This document covers installation of MSXML6 and application upgrade, supported operating systems and changes from MSXML 3 and MSXML 4.
The key changes in MSXML 6.0 that are covered in this document are as follows:
- MSXML 6.0 introduced a number of security changes to turn security sensitive features “off-by-default”.
- MSXML 6.0 has improved support for the W3C XSD 1.0 Specification and has also increased compatibility with System.Xml in the .Net Framework 2.0
- MSXML 6.0 has deprecated several legacy features from MSXML 3.0 & MSXML 4.0
- MSXML 6.0 no longer supports deployment by MSM or CAB. Only MSI installation is supported downlevel from Vista. MSXML6 is part of the Vista operating system. We are working on offering MSXML 6.0 SP1 as a recommended update on Windows Update and may switch to Critical Update if there is strong feedback on the cab scenario usage. Web application developers need to advise their customer to get MSXML 6.0 SP1
Please see the sections below on details on these changes.
MSDN documentation on these changes in MSXML 6.0 at http://msdn2.microsoft.com/en-us/library/ms753751.aspx
Installation Summary : MSXML6 is included in Vista by default and is available for download for supported downlevel platforms from http://www.microsoft.com/downloads/details.aspx?FamilyID=d21c292c-368b-4ce1-9dab-3e9827b70604&displaylang=en
Installation Location: Successful installation will result in the addition of
Version : 6.10.1129.0
Upgrade: In order to upgrade an application to use MSXML 6.0, all the references to MSXML objects must be modified to use the MSXML 6.0 version dependent ProgIDs. For example: MSXML2.DOMDocument.6.0
Supported Operating Systems
MSXML 6.0 supports the following operating systems:
- Windows 2000
- Windows XP
- Windows 2003
- Windows Vista
Support will follow the support policy for Windows service packs listed at http://support.microsoft.com/default.aspx?pr=lifesupsps#Windows Because MSXML 6.0 releases out of band from down-level operating systems, only the most recent (n) and n-1 service packs of MSXML are supported on the supported operating systems.
In MSXML 6.0 several security sensitive properties have been configured to be off by default. When upgrading these properties may need to be re-enabled, however be aware that these properties are important in securing the DOM and SAX Reader when parsing data from untrusted or unauthenticated clients. The security risks should be carefully considered when enabling these properties in an unauthenticated channel.
MSDN documentation on this subject at http://msdn2.microsoft.com/en-us/library/ms754611.aspx
DOMDocument60 Property Settings
The following are second level properties for DOMDocument60. The syntax for setting second level properties: xmldoc.setProperty "propertyname", Boolean
Note: The property name is a case sensitive.
1. ResolveExternals - Sets the master control for all externally resolvable resources including:
- All external definitions
- resolvable namespaces
- document type definition (DTD) external subsets
- external entity references
- xsd:include, xsd:import, xsd:redefine
- xsl:include, xsl:import
Default: ResolveExternals is set to false by default in 6.0
Notes: If the Xml file has a reference to an external DTD or entity references, it would fail to load the DTD and as result the xml document will not be validated.
If XSD schemas include or import other schemas, they will not be resolved as well and may lead to XSD compilation and validation errors.
Example: Xmldoc.setProperty “ResolveExternals”, true
2. ProhibitDTD - Prohibits inclusion of DTDs in XML documents. When this property is set to true instance documents containing DTDs cannot be parsed. When set to FALSE, DTDs are allowed. Setting this property will prohibit DTDs and send error "Invalid at the top level of the document" (XML_E_INVALIDATROOTLEVEL, 0xE52D) whenever DTD is used.
Default: ProhibitDTD is set to TRUE by default (DTDs are not allowed)
Notes: This property was added in MSXML6 and MSXML3 SP5 – it does not exist in MSXML4 SP2
Example: xmldoc.SetProperty "ProhibitDTD", True
3. MaxElementDepth – Specifies the maximum element depth for any document, schema, or XSLT file when it is loaded into the DOM. It does set any limitations on overall file size, or the size of the content of any given particle (attribute, element, comment, etc.). Any document that has a subtree which exceeds the MaxElementDepth will cause an error.
Notes: This is a new property in MSXML 6.0 SP1, and MSXML3 SP8 (Vista) – it does not exist in MSXML4 SP2
Example: xmldoc.SetProperty "MaxElementDepth", 100
4. UseInlineSchema – Specifies whether inline XSD schemas in an instance document should be used to validate the document (true) or not (false). When this property is set to false, inline schemas are treated like any other XML fragments.
Default: UseInlineSchema is set to false by default.
Notes: This setting does not affect whether validation occurs or not at parse time. Even when this property is set to false the instance document can still be validated at parse time
Example: Xmldoc.setProperty “UseInlineSchema”, true
5. AllowDocumentFunction - enables (true) or disables (false) the document() function in XSLT. Attempts to call the document() when the property is disabled will result in an "Access Denied" error.
Default: AllowDocumentFunction is set to false by default.
Notes: This property is supported in MSXML 3.0 SP4, MSXML 4.0 SP2, and later.
Example: xsltdoc.setProperty “AllowDocumentFunction”,true
6. AllowXsltScript – enables (true) or disables (false) the ability to embed script in XSLT files. When set to false AllowXsltScript will prohibit all script blocks in an XSLT stylesheet. It will error when an XSLT DOM object containing script is used in transformNode() or transformNodeToObject(), or when the XSLT DOM is set as the stylesheet property on the IXSLTemplate.
Default: AllowXsltScript is set to false by default
Notes: When XSLT is hosted inside IE the URL of the hosting page is used to determine the script execution permissions based on the intersection of the zone the hosting page belongs to and the user’s IE security policy for that zone even when AllowXsltScript is set to true. When AllowXsltScript is set to false in IE all scripts are blocked regardless of the user’s security policy for that zone.
AllowXsltScript property applies to all included/imported XSLT.
AllowXsltScript is a new property in MSXML 6.0
Example: xsltdoc.SetProperty "AllowXsltScript”, True
SAXXMLReader60 Property Settings
Similar to the DOMDocument, the parsing behavior for the SAX reader has also been configured to be off by default to provide secure parsing services out of the box. The concepts are largely the same but SAX does not support XSLT and the property names differ in some cases.
1. prohibit-dtd – Similar to the DOM property it prohibits inclusion of DTDs in XML documents. When this property is set to true instance documents containing DTDs cannot be parsed. When set to FALSE, DTDs are allowed.
Default: This property is set to true by default
Notes: This property is new in MSXML 6.0
2. max-element-depth – Similar to the DOM property it specifies the maximum element depth for any document parsed by the SAX reader. It does set any limitations on overall file size, or the size of the content of any given particle (attribute, element, comment, etc.). Any document that has a subtree which exceeds the MaxElementDepth will cause an error
Default: The property is set to 256 by default.
3. use-inline-schema – Similar to the DOM property it specifies whether inline XSD schemas in an instance document should be used to validate the document (true) or not (false). When this property is set to false, inline schemas are treated like any other XML fragments.
Default: This property is set to false by default.
4. use-schema-location – Unlike the DOM which uses ResolveExternals to control all externals, the SAX reader allows more granular control of external entities, DTDs, and XSD schemas. This property controls whether or not to resolve XSD schemas referenced in the XML document using the xsi:schemaLocation attribute. When set to true the xsi:schemLocation value will attempt to be resolved and used for validation. When set to false the xsi:schemaLocation attribute will be ignored.
Default: This property is set to false by default.
Notes: Setting this property to false protects the parser from potential security exposure from loading schemas referenced by untrusted data but may lead to unexpected validation behavior if the application relies on the instance document to provide an appropriate schema
There is no change in the behavior for other externals (entities, external DTDs) in MSXML 6.0
In order to improve conformance to the W3C standard and compatibility with other schema implementations MSXML 6.0 introduces a number of changes to the XSD schema compilation and validation model in the XmlSchemaCache. These changes apply regardless of whether documents are being validated through the DOMDocument or the SAXXMLReader.
The IXMLDOMSchemaCollection/XMLSchemaCache object is free-threaded and can be used in multiple documents at the same time. The XML Schema document that is sent to the schema collection is cloned, and the XML Schema document remains writable. Any changes that occur in the XML Schema file after it is stored in the schema cache are not reflected in its cloned image. A single schema cache can be added to multiple schema collections, due to the creation of the cloned image.
MSDN documentation on this subject at http://msdn2.microsoft.com/en-us/library/ms764692.aspx
1. XmlSchemaCache Add() method:
§ User needs to validate on add set to false in order to avoid issues around order of calls to Add
o The Add operation is atomic. All the schemas must be added successfully to the cache or else none are. This includes both syntactic and semantic violations in the provided schema such as conflicting items in the resulting set resulting from importing a version of a schema from different loc and/or redefining some items already in the cache.
2. MSXML 6.0 has removed support for XDR schemas. The following error occurs when tried to load an XDR schema:
-2147467259:productsxdr.xml#/Schema : Incorrect definition for the root element in schema.
3. XmlSchemaCache get() method: In previous versions, this method returns the DOMDocument for a given namespace. In MSXML 6.0 this method is not implemented.
4. XmlSchemaCache remove() method: In previous versions, this method removes the specified namespace from a collection. In MSXML 6.0 this method is not implemented.
5. XmlSchemaCache addCollection() method: Behaves similar to Add() method. This method is atomic – either all schemas are added or none are.
6. maxOccurs and minOccurs: MSXML 6.0 does not support minOccurs or maxOccurs values greater than 2^32. Values larger than that are automatically truncated to 2^32. To support content models that allow more than 2^32 elements for a given declaration use the “unbounded” keyword.
7. The implementation is compatible with the System.Xml schemas. Which implies the schema that compile in SOM also compile in System.Xml.
8. The XmlSchemaCache can be populated using the urlpath or DOMDocument. When using urlpath to populate the XmlSchemaCache the default DOMDocument is created. For the default DOMDocument, some properties (ResolveExternals, useInlineSchema, etc) are disabled. This may cause problems if the schema contains external references(xs:include, xs:import). The included/imported schemas will not be resolved.
In cases where the schema has external references, use DOMDocument to load the XmlSchemaCache. For each include/import schema, a DOMDocument is created in memory. If a DOMDocument is used to load the XmlSchemaCache, then the DOMDocuments created will inherit the DOMDocument. Therefore the external references can be resolved.
1. XDR Schemas can no longer be used with MSXML 6.0. To convert XDR schemas to XSD format, XSD.EXE can be used. XSD.exe is installed with Visual studio .NET 1.0 and 1.1.
2. DSO document(MSXML2.DSOControl.6.0) is not available with MSXML 6.0. This feature is not used by many customers.
Example: When tried to create MSXML2.DSOControl.6.0 object, the following error occurs:
429:ActiveX component can't create object
Hi, As a part of our MSXML4 End of Life plan , we are going to kill bit MSXML4 in the October – December
The Microsoft XML team has announced MSXML4 will be kill bit-ed in IE in the October - December 2007
Jeremy Dallman here with some important information from the MSXML team to the IE development community.
Jeremy Dallman here with some important information from the MSXML team to the IE development community
MS are going to push out an IE specific kill-bit for MSXML4 in October. More information here: http://blogs.msdn.com/xmlteam/archive/2007/03/12/msxml4-is-going-to-be-kill-bit-ed.aspx
Now, there are an error, "Invalid at the top level of the document" when I create DataSource in Analysis Services in Visual Studio 2005 on Vista. I researched and know that ProhibitDTD=true (default) in MSXML 6.0. I don't know to config MSXML by commandline or don't uninstall MSXML 6.0 because I am using Vista.
Can you help me please ? Thanks.
While on the subject of XML. I noticed an announcement on the Microsoft XML Team blog that MSXML4 is
howdo you tell what is going on with the site check up on it firstname.lastname@example.org
Anyone know how to perform an unattended install of XML 6? Basically an install script to put on a logon script will work.
Hello All, In March , we posted our intention to killbit MSXML4 and encouraged users to move to MSXML6
今天，我们很荣幸地宣布 MSXML4.0 Service Pack 3 (SP3) 可以在微软下载中心下载了！ MSXML4.0 SP3支持多种语言。MSXML4.0 SP3修复了许多安全缺陷并提高了软件的可靠性，可以完全取代以前的MSXML4.0、MSXML4.0
由于历史原因，MSXML有许多版本共存，比如3.0、4.0、5.0和6.0。让我们的客户把他们的应用程序移植到MSXML 6.0上去是我们的最终目标。 虽然我们希望今天每个人都在使用MSXML 6.0，但仍然清醒地意识到迁移需要相当的时间。所以我们将继续在MSXML