GoDaddy won't let XmlUrlResolver run

Question

I am trying to write a page to host on godaddy and the code keeps throwing an exception. I believe that the problem is that the permissions on the server will not let the subclass of XmlUrlResolver get instantiated, but I'd love some help with this please...

This code does work on my local dev box, and if I use File.ReadAllText(HostingEnvironment.MapPath("~/xml/home.xml")) it does work, so I am fairly certain it's not IO permissions....

Exception:

     Security Exception
Description: The application attempted to perform an operation not allowed by the security policy.  To grant this application the required permission please contact your system administrator or change the application's trust level in the configuration file.

Exception Details: System.Security.SecurityException: Request failed.

Source Error:

Line 33:         t.Load(reader, null, new XsltUrlResolver());
Line 34:         sb = new StringBuilder(File.ReadAllText(HostingEnvironment.MapPath("~/xslt/url-encode.xslt")));
Line 35:     }
Line 36: </script>
Line 37:

Code (this is a simple page I'm using to try to narrow down the problem only):

<%@ Page Language="C#" AutoEventWireup="true" EnableViewState="false" Inherits="System.Web.UI.Page" %>

<%@ Import Namespace="Web" %>
<%@ Import Namespace="System.Xml" %>
<%@ Import Namespace="System.Web.Hosting" %>
<%@ Import Namespace="System.IO" %>
<%@ Import Namespace="System.Xml.Xsl" %>
<%@ Import Namespace="System.Text" %>
<%@ Import Namespace="System.Web" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"&gt;

<script runat="server">
    public StringBuilder sb = new StringBuilder();

    public class XsltUrlResolver : XmlUrlResolver
    {
        public override Uri ResolveUri(Uri baseUri, string relativeUri)
        {
            if (baseUri != null)
                return base.ResolveUri(baseUri, relativeUri);
            else
                return base.ResolveUri(baseUri, HostingEnvironment.MapPath(relativeUri));
        }
    }
    protected void Page_Load(object sender, EventArgs e)
    {
        // create the readers for the xml and xsl
        XmlReader reader = XmlReader.Create(new StringReader(File.ReadAllText(HostingEnvironment.MapPath("~/xslt/home.xslt"))));
        XmlReader input = XmlReader.Create(new StringReader(File.ReadAllText(HostingEnvironment.MapPath("~/xml/home.xml"))));

        // create the xsl transformer
        XslCompiledTransform t = new XslCompiledTransform(true);
        t.Load(reader, null, new XsltUrlResolver());
        sb = new StringBuilder(File.ReadAllText(HostingEnvironment.MapPath("~/xslt/url-encode.xslt")));
    }
</script>

<html xmlns="http://www.w3.org/1999/xhtml"&gt;
<head id="Head1" runat="server">
    <title>Untitled Page</title>
</head>
<body>
    <form id="form1" runat="server">
    <div>
        <%= sb.ToString() %>
    </div>
    </form>
</body>
</html>

Answer 1

GoDaddy shared hosting accounts run under Medium Trust. There are (at least) three possibilities for how your code may be running afoul of Medium Trust:

• The XSLT contains operations, like embedded script, which are incompatible with Medium Trust. See http://social.msdn.microsoft.com/Forums/en-US/xmlandnetfx/thread/b643e335-f1b4-4fb3-b81f-f4ace3f156fa. I'm not aware of any way around this other than removig the script.
• setting a custom XmlResolver may not be supported in Medium Trust (I've seen a few forums posts about this). You may need to pre-process your XML if this is true, to avoid needing a custom resolver.
• I've read online that XmlResolver.ResolveUri does demand full trust, so you may not be allowed to call it in your derived class. it may be OK to build your own resolver which does not call down to the base class's ResolveUri method. Be very careful if you do this-- resolving URLs yourself is a great way for malicious data to get access to private files on your web server!

There's a few related threads on SO about XmlResolver, including this one, which may be useful.