tags:

views:

518

answers:

3
+3  Q: 

Why doesn't the XmlSerializer need the type to be marked [Serializable]?

In C#, if I want to serialize an instance with XmlSerializer, the object's type doesn't have to be marked with [Serializable] attribute. However, for other serialization approaches, such as DataContractSerializer, needs the class be marked as [Serializable] or [DataContract].

Is there any standard or pattern about serialization requirement?

+7  A: 

This is because XmlSerializer only serializes public fields/properties. Other forms of serialization can serialize private data, which constitutes a potential security risk, so you have to "opt in" using an attribute.

Eric Rosenberger  2008-12-25 02:03:10
+2  A: 

Right now there are really 3 forms of serialization in the .Net Framework.

  1. XmlSerialization - By default works on public fields and properties. Can still be controlled via XmlElementAttribute, XmlAttributeAttribute, etc ...
  2. BinarySerialization - Controlled by the SerializationAttribute. Deeply integrated into the CLR
  3. WCF Seralization - DataContractAttribute, etc ...

There unfortunately is standard overall pattern for serialization. All 3 frameworks have different requirements and quirks.

JaredPar  2008-12-25 15:21:22
You might want to add JavaScriptSerializer to that list - different requirements and quirks, but part of the core framework now.
Marc Gravell  2008-12-27 16:43:06
@Marc, hadn't heard about that one before. Will have to look into it.
JaredPar  2008-12-27 22:15:56
JP - typo? s/Serialization/Serializable. The key point here is that [Serializable] is an attribute that is meaningful to the binary serializer, and the Xml Serializer doesn't use it. Conversely, [XmlElement] is used by the latter, and the former doesn't use i.
Cheeso  2009-03-31 21:14:52
IIRC, Serializer was created to support MarshalByRefObject / .NET Remoting, XmlSerializer was created to support ASMX web services, and DataContractSerializer was created to support WCF, hence the inconsistencies. :-)
Christian Hayter  2009-06-09 16:22:15
+4  A: 

Security isn't the only issue; simply, serialization only makes sense for certain classes. For example, it makes little snse to serialize a "connection". A connection string, sure, but the connection itself? nah. Likewise, anything that requires an unmanaged pointer/handle is not going to serialize very well. Nor are delegates.

Additionally, XmlSerializer and DataContractSerializer (by default) are tree serializers, not graph serializers - so any recursive links (like Parent) will cause it to break.

Marking the class with the serializer's preferred token is simply a way of saying "and it should make sense".

IIRC, both [XmlSerializer and [DataContractSerializer] used to be very rigid about demanding things like [Serializable], [DataContract] or [IXmlSerializable], but they have become a bit more liberal lately.

Marc Gravell  2008-12-26 08:34:22
True, and this is a good argument as to why XmlSerializer SHOULD require attributes too... there's nothing stopping you from serializing something that doesn't make sense. But I think security was the main reason they DIDN'T do this.
Eric Rosenberger  2008-12-26 16:09:33
And AFAIK, XmlSerializer never required any attributing, at least back to .NET 1.1, although you could always control it with the various Xml* attributes and IXmlSerializable.
Eric Rosenberger  2008-12-26 16:11:03
common misconception: Xml Serializer never required [Serializable] and was never associated with [Serializable]. The [Serializable] attribute never had any effect on the actions or behavior of the Xml Serializer. They have always been unrelated, except in people's minds!
Cheeso  2009-05-14 10:01:46
@Cheeso - probably because my first use of XmlSerializer was via asmx services, does that require it>
Marc Gravell  2009-05-14 10:28:51
AFAIR, SOAP serialization does require [Serializable]. But SOAP serialization is very different from XML serialization.
Anton Tykhyy  2009-07-01 09:21:26
@Anton: No such thing as SOAP Serialization. That's runtime serialization using the SOAP formatter.
John Saunders  2009-07-25 18:51:19

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?