Skip to main content
BuyLog In
.NET Reporting Tools
Search in…
Docs > Detailed Guide to DevExpress Reporting > Store and Distribute Reports > Security Considerations
A newer version of this page is available. .
All docs
V22.1
Reporting
Product Information
Get Started with DevExpress Reporting
Create Reports
Detailed Guide to DevExpress Reporting
Introduction to Banded Reports
Bind Reports to Data
Use Report Controls
Use Report Parameters
Shape Report Data
Arrange Dynamic Report Contents
Customize Appearance
Add Navigation
Provide Interactivity
Add Extra Information
Merge Reports
Use Expressions
Store and Distribute Reports
Security Considerations
Store Report Layouts and Documents
Export Reports
Print Reports
Print and Export Reports without a Preview
Globalize and Localize Reports
Reporting API
Visual Studio Report Designer
WinForms Reporting
WPF Reporting
Web Reporting
WinUI Reporting
WCF Report Service
Discontinued Platforms
Localize Reporting Applications
Redistribution and Deployment
API Reference
ASP.NET Core API Reference
Blazor API Reference
Client API Reference
Client API Reference (Web Forms & MVC)
Download CHM

Security Considerations for Report Storage and Distribution

  • 4 minutes to read

This document addresses the safe storage and distribution of report layouts and describes security best practices.

Possible risks include the leakage of sensitive data contained in serialized reports and the execution of malicious code injected into them by third parties. The following sections describe how to eliminate these risks:

Prevent Execution of Serialized Code

When you open reports from untrusted sources in Print Preview or Report Designer, malicious code embedded in those reports can cause uncontrolled execution. We address these security risks with the following methods:

XML Serialization

To prevent uncontrolled code execution on the client, Report Designer uses XML serialization to save report layouts and style sheets.

Important

We recommend that you do not change the default behavior and continue using XML serialization for saving reports.

Unlike the legacy CodeDOM serialization, XML is protected against injecting harmful code into a report’s definition and executing it on a client machine when deserializing such report.

We recommend switching to XML serialization instead if your application still uses CodeDOM serialization.

Validation on Load

End-User Report Designer (WinForms and WPF) displays the following warning when a user attempts to load a potentially unsafe report:

report-designer-load-report-warning

A report is considered unsafe if it or any of its subreports contain any of the following:

Review the following help topics for more information:

Report Scripts

Regardless of which serialization mechanism was used for saving a report, it may still include executable code contained in report scripts. If you enable report scripts, users are at risk of running malicious code on their machines. In web applications, the risk is higher because scripts run on the server.

Desktop and web reporting applications have different initial security settings:

  • WinForms and WPF Reporting enable unrestricted report script execution.
  • Web Reporting disables script execution.

Note that the XtraReport.CreateDocument method causes unsupervised script execution on the client machine and can compromise security.

Important

We recommend that you disable script execution and use expressions instead.

For information on how to disable report scripts, review the following help topic: Scripts Security.

Protect Sensitive Report Data

The following information can help you to prevent sensitive data exposure in report definitions:

  • Protect Data Source Information

    Unlike published report documents, a report definition does not store the actual values from the report data sources.

    A report definition contains only the data connection name - it does not include any sensitive information related to data connections. User credentials and connection strings are stored in the application configuration file.

    Important

    A report definition can contain information about the data source schema (as Base64-encoded text), which includes names of selected data source tables, views, and columns.

    You can handle the XtraReport.SaveComponents event to access and manage the list of serialized components.

    In web applications, reporting components encrypt certain data, such as connection parameters, and pass it to the client in encrypted form. Review the following help topic for more information: Data Access Security.

  • Protect Password Information

    A report definition file stores PDF and Excel passwords in plain unencrypted text.

    Once you specify passwords in the [XtraReport.ExportOptions] report (xref:DevExpress.XtraReports.UI.XtraReport.ExportOptions), all PDF and Excel files created from this report automatically use these passwords. Unauthorized access to the original report definition that contains the passwords specified for the export parameters can compromise all PDF and Excel documents created from that report.

    Important

    Avoid default passwords for PDF and Excel exports and limit access to the report definition files that reveal those passwords and the PDF and Excel document repository.

Application Security

Report storage and distribution practices are only part of general security considerations. Review the following help sections for more information about security in reporting applications: