For security reasons, in Web applications, deserialization of report layouts (REPX files) and style sheets (REPSS files) stored in CodeDOM format has been disabled. An exception is thrown on an attempt to load such a report or style sheet.
If you trust your report source, you can choose one of the following options:
1. Migrate to the XML format (recommended)
To avoid potential security threats, we strongly recommend that you migrate your reports and style sheets from the CodeDOM to XML format. For this, create a .NET Framework application and perform the following actions:
- Call the DevExpress.Security.Resources.AccessSettings.ReportingSpecificResources.SetRules method to add a serialization rule that allows CodeDOM and XML formats.
2. Open a report or style.
3. Save it to the XML format.
C#DevExpress.Security.Resources.AccessSettings.ReportingSpecificResources.SetRules(SerializationFormatRule.Allow(SerializationFormat.Code, SerializationFormat.Xml));
XtraReport report = XtraReport.FromFile("Layout.repx", true);
report.SaveLayoutToXml("Layout.repx");
XtraReport reportStyles = new XtraReport();
reportStyles.StyleSheet.LoadFromFile("Styles.repss");
reportStyles.StyleSheet.SaveXmlToFile("Styles.repss");
Visual BasicDevExpress.Security.Resources.AccessSettings.ReportingSpecificResources.SetRules(SerializationFormatRule.Allow(SerializationFormat.Code, SerializationFormat.Xml))
Dim report as XtraReport = XtraReport.FromFile("Layout.repx", True)
report.SaveLayoutToXml("Layout.repx")
Dim reportStyles as XtraReport = new XtraReport()
reportStyles.StyleSheet.LoadFromFile("Styles.repss")
reportStyles.StyleSheet.SaveXmlToFile("Styles.repss")
- Once you migrate all the reports and style sheets, remove the line where you call the DevExpress.Security.Resources.AccessSettings.ReportingSpecificResources.SetRules method.
2. Allow CodeDOM format deserialization
If you fully trust your report source, you can allow CodeDOM format deserialization and suppress exceptions. To do this, call the DevExpress.Security.Resources.AccessSettings.SetRules method as shown below:
C#DevExpress.Security.Resources.AccessSettings.ReportingSpecificResources.SetRules(SerializationFormatRule.Allow(SerializationFormat.Code, SerializationFormat.Xml));
Visual BasicDevExpress.Security.Resources.AccessSettings.ReportingSpecificResources.SetRules(SerializationFormatRule.Allow(SerializationFormat.Code, SerializationFormat.Xml))