Deserialization from CodeDOM format is unsafe and has been disabled

By FoxLearn 3/7/2025 2:09:01 AM   57
To fix the DevExpress.XtraReports.Security.CodeDomLayoutDeserializationRestrictedException: 'Deserialization from CodeDOM format is unsafe and has been disabled.', you need to enable CodeDOM report deserialization explicitly or migrate to XML serialization.

Devexpress have disabled CodeDOM report deserialization across all platforms targeting Microsoft's .NET Framework. .NET projects exclusively use XML serialization. The following methods will now throw a

DevExpress.XtraReports.Security.CodeDomLayoutDeserializationRestrictedException when trying to load reports serialized with CodeDOM:

  • XtraReport.LoadLayout method overloads
  • XtraReport.FromFile
  • XtraReport.FromStream

The SerializationFormatRule class is now deprecated. Instead, use DevExpress.XtraReports.Configuration.Settings.AllowCodeDomLayoutDeserialization to enable CodeDOM report deserialization.

Reasons for the Change

CodeDOM report serialization is an outdated mechanism that was not designed to safeguard against potential harmful code injection or execution when deserializing reports on a client machine.

This change affects applications that use CodeDOM serialization to store report layouts (via SaveLayout method overloads).

Migrate to XML Serialization (Recommended)

To mitigate security risks, we strongly advise migrating your reports from CodeDOM to XML format.

Steps to Migrate:

  1. Temporarily enable DevExpress.XtraReports.Configuration.Settings.AllowCodeDomLayoutDeserialization at the application startup.
  2. Open each report.
  3. Save it to XML format using the SaveLayoutToXml method overloads.

For example, to save a report in XML format:

report.SaveLayoutToXml("path_to_save.xml");

By migrating to XML serialization, you eliminate the security risks associated with CodeDOM deserialization.

Temporarily Enabling CodeDOM Deserialization

To revert to the previous behavior, set DevExpress.XtraReports.Configuration.Settings.AllowCodeDomLayoutDeserialization to true at the application startup.

DevExpress.XtraReports.Configuration.Settings.Default.AllowCodeDomLayoutDeserialization = true;

For example:

static void Main()
{
    Application.EnableVisualStyles();
    Application.SetCompatibleTextRenderingDefault(false);
    ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12 | SecurityProtocolType.Ssl3;
    if (!System.Diagnostics.Debugger.IsAttached)
    {
        Application.ThreadException += Application_ThreadException;
        AppDomain.CurrentDomain.UnhandledException += CurrentDomain_UnhandledException;
        Application.SetUnhandledExceptionMode(UnhandledExceptionMode.CatchException);
    }
    // Setting
    DevExpress.XtraReports.Configuration.Settings.Default.AllowCodeDomLayoutDeserialization = true;
    Application.Run(new frmMain());
}

This will allow deserialization from the CodeDOM format, but please note that this is not recommended for production environments due to potential security risks.

While enabling AllowCodeDomLayoutDeserialization temporarily resolves the error, it is strongly recommended to migrate your reports to XML format to avoid security issues.

Related

Categories

Popular Posts

Entity Framework Code First vs Database First vs Model First Approach
Entity Framework Code First vs Database First vs Model First Approach
 12/19/2024
Portal HTML Bootstrap
Portal HTML Bootstrap
 11/14/2024
HTML Bootstrap 4 Login, Register & Reset Template
HTML Bootstrap 4 Login, Register & Reset Template
 11/11/2024
Material Lite Admin Template
Material Lite Admin Template
 11/14/2024
Star Admin Dashboard Template
Star Admin Dashboard Template
 11/17/2024

Copyright © 2016 - 2025 FoxLearn. All Rights Reserved

Home | Donate | About | Contact | Privacy Policy