TypeNameHandling and security

Nov 29, 2010 at 1:59 PM
Edited Nov 29, 2010 at 2:00 PM

TypeNameHandling sounds like a potential security-hole if it allows instantiation of arbitrary types from untrusted JSON.

Is it possible to supply a type white-list so only types from that list may be constructed? Or is there a build in mechanism that makes this save that I'm missing?

Dec 1, 2010 at 5:54 AM

No. The JSON property is only used if TypeNameHandling is enabled so if you're worried about it then you can safely not turn it on.