Breaking Change BC4930
Visible to All Users

Web Reporting - Deserialization from the CodeDOM format has been disabled

For security reasons, in Web applications, deserialization of report layouts (REPX files) and style sheets (REPSS files) stored in CodeDOM format has been disabled. An exception is thrown on an attempt to load such a report or style sheet.

If you trust your report source, you can choose one of the following options:

1. Migrate to the XML format (recommended)

To avoid potential security threats, we strongly recommend that you migrate your reports and style sheets from the CodeDOM to XML format. For this, create a .NET Framework application and perform the following actions:

  1. Call the DevExpress.Security.Resources.AccessSettings.ReportingSpecificResources.SetRules method to add a serialization rule that allows CodeDOM and XML formats.
    2. Open a report or style.
    3. Save it to the XML format.
C#
DevExpress.Security.Resources.AccessSettings.ReportingSpecificResources.SetRules(SerializationFormatRule.Allow(SerializationFormat.Code, SerializationFormat.Xml)); XtraReport report = XtraReport.FromFile("Layout.repx", true); report.SaveLayoutToXml("Layout.repx"); XtraReport reportStyles = new XtraReport(); reportStyles.StyleSheet.LoadFromFile("Styles.repss"); reportStyles.StyleSheet.SaveXmlToFile("Styles.repss");
Visual Basic
DevExpress.Security.Resources.AccessSettings.ReportingSpecificResources.SetRules(SerializationFormatRule.Allow(SerializationFormat.Code, SerializationFormat.Xml)) Dim report as XtraReport = XtraReport.FromFile("Layout.repx", True) report.SaveLayoutToXml("Layout.repx") Dim reportStyles as XtraReport = new XtraReport() reportStyles.StyleSheet.LoadFromFile("Styles.repss") reportStyles.StyleSheet.SaveXmlToFile("Styles.repss")
  1. Once you migrate all the reports and style sheets, remove the line where you call the DevExpress.Security.Resources.AccessSettings.ReportingSpecificResources.SetRules  method.

2. Allow CodeDOM format deserialization

If you fully trust your report source, you can allow CodeDOM format deserialization and suppress exceptions. To do this, call the DevExpress.Security.Resources.AccessSettings.SetRules  method as shown below:

C#
DevExpress.Security.Resources.AccessSettings.ReportingSpecificResources.SetRules(SerializationFormatRule.Allow(SerializationFormat.Code, SerializationFormat.Xml));
Visual Basic
DevExpress.Security.Resources.AccessSettings.ReportingSpecificResources.SetRules(SerializationFormatRule.Allow(SerializationFormat.Code, SerializationFormat.Xml))

Disclaimer: The information provided on DevExpress.com and affiliated web properties (including the DevExpress Support Center) is provided "as is" without warranty of any kind. Developer Express Inc disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. Please refer to the DevExpress.com Website Terms of Use for more information in this regard.

Confidential Information: Developer Express Inc does not wish to receive, will not act to procure, nor will it solicit, confidential or proprietary materials and information from you through the DevExpress Support Center or its web properties. Any and all materials or information divulged during chats, email communications, online discussions, Support Center tickets, or made available to Developer Express Inc in any manner will be deemed NOT to be confidential by Developer Express Inc. Please refer to the DevExpress.com Website Terms of Use for more information in this regard.