ContextQMD
Back to Devexpress

Obsolete 'Restricted' Script Execution Mode

xtrareports-400626-feature-guide-to-devexpress-reports-reporting-api-use-report-scripts-obsolete-restricted-script-execution-mode.md

latest9.6 KB
Original Source

Obsolete 'Restricted' Script Execution Mode

  • Feb 18, 2026
  • 6 minutes to read

Important

This script execution mode is now obsolete. We recommend that you enable the Deny mode and try to use expression bindings instead. If you fully trust you reports, you can use the Unrestricted mode. See Scripts - Security Considerations for more information.

Specify Script Permissions

To enable the Restricted mode at your own risk, register a ScriptPermissionManager class instance at application startup as shown below.

csharp
ScriptPermissionManager.GlobalInstance = new ScriptPermissionManager((ExecutionMode)2);
vb
ScriptPermissionManager.GlobalInstance = New ScriptPermissionManager(CType(2, ExecutionMode))

This code registers the Internet Zone Evidence and apply the following default permissions:

Important

To apply restrictions, you are required to enable the CAS policy option in the application’s configuration file. Otherwise, an attempt to execute a report script under the Restricted mode will cause an exception.

To run scripts in Restricted mode with only specific actions allowed, define an Evidence (e.g., with the Zone set to MyComputer ) and assign it to your custom ScriptPermissionManager.

Important

Each security zone has a specific set of associated permissions. When selecting a zone, please make sure that it applies appropriate permissions. For more information, review the following topic: Default Security Policy.

For example, the following code defines custom script permissions.

csharp
using DevExpress.XtraReports.Security;
using System.Security;
using System.Security.Permissions;
using System.Security.Policy;
// ...

static void Main() {
    // Define new Evidence with the specified SecurityZone.
    var evidence = new Evidence(new EvidenceBase[] { new Zone(System.Security.SecurityZone.MyComputer) }, new EvidenceBase[] { });

    // Define specific permissions to be restricted for the specified Evidence.
    FileIOPermission filePermission = new FileIOPermission(PermissionState.Unrestricted);

    // Restrict specific permissions based on your requirements.
    var restrictPermissions = new IPermission[] { 
        // Uncommenting the following line will cause a security exception on an attempt to access the file system by report scripts.
        // filePermission, 
    };

    // Assign a script permission manager instance with the specified script execution mode, evidence and restrictions.
    ScriptPermissionManager.GlobalInstance = new ScriptPermissionManager((ExecutionMode)2, evidence, restrictPermissions);

    // ...
}
vb
Imports DevExpress.XtraReports.Security
Imports System.Security
Imports System.Security.Permissions
Imports System.Security.Policy
' ...

Sub Main()
    ' Define new Evidence with the specified SecurityZone.
    Dim evidence = New Evidence(New EvidenceBase() {New Zone(System.Security.SecurityZone.MyComputer)}, New EvidenceBase() {})

    ' Define specific permissions to be restricted for the specified Evidence.
    Dim filePermission As New FileIOPermission(PermissionState.Unrestricted)

    ' Restrict specific permissions based on your requirements.
    Dim restrictPermissions = New IPermission() { _ 
        ' Uncommenting the following line will cause a security exception on an attempt to access the file system by report scripts.
        ' filePermission _ 
    }

    ' Assign a script permission manager instance with the specified script execution mode, evidence and restrictions.
    ScriptPermissionManager.GlobalInstance = New ScriptPermissionManager(CType(2, ExecutionMode), evidence, restrictPermissions)

    ' ...
End Sub

As a result of applying a FileIOPermission , the execution of the following report script becomes permitted.

csharp
using System.IO;
// ...

private void XtraReport_BeforePrint(object sender, System.ComponentModel.EventArgs e) {
    FileStream fs = File.Create(@"C:\Temp\test.txt");
    fs.Close();
}
vb
Imports System.IO
' ...

Private Sub XtraReport2_BeforePrint(ByVal sender As Object, ByVal e As System.ComponentModel.EventArgs)
    Dim fs As FileStream = File.Create("C:\Temp\test.txt")
    fs.Close()
End Sub

The execution of the above script will be attempted on previewing the report, as well as on exporting it to any of the supported third-party formats.

csharp
using DevExpress.XtraReports.UI;
// ...

private void button1_Click(object sender, System.EventArgs e) {
    XtraReport report = new XtraReport();
    report.LoadLayoutFromXml(@"..\..\report.xml");
    report.ExportToPdf("report.pdf");
}
vb
Imports DevExpress.XtraReports.UI
' ...

Private Sub Button1_Click(sender As Object, e As System.EventArgs) Handles Button1.Click
    Dim report As New XtraReport()
    report.LoadLayoutFromXml("..\..\report.xml")
    report.ExportToPdf("report.pdf")
End Sub

Enable the Code Access Security Policy

Starting with .NET Framework version 4 , script restrictions are applied only if the code access security (CAS) policy is enabled in the application. This policy is disabled by default and to determine permissions granted to the code, this policy must be explicitly enabled in the application’s configuration file.

web.config

xml
<configuration>
    
        <trust level="Full" legacyCasModel="true"/>
    
</configuration>

app.config

xml
<configuration>
  <runtime>
    <NetFx40_LegacySecurityPolicy enabled="true" />
  </runtime>
</configuration>

Important

This policy is required only for the Restricted script execution mode.

You are not required to enable this policy if your web application does not provide an End-User Report Designer (or if it does, only trusted third-parties are enabled to use the Designer).

If your application does not implement this policy, an attempt to execute a report script under the Restricted mode will cause an exception.

ASP.NET MVC Specifics

In ASP.NET MVC applications, adding the <trust level=”Full” legacyCasModel=”true”/> section to a configuration file to enable the execution of report scripts under the specified restrictions may result in the following exception: “Dynamic operations can only be performed in homogenous AppDomain”. This is a result of a restricted support for dynamic operations in ASP.NET MVC 4+ applications when legacy code access security is enabled.

As a workaround, you can move the report execution to a separate web application where legacy code access security (CAS) is enabled and restrictions for the report scripts are specified. Then, you can disable the legacy CAS in your main ASP.NET MVC application, so that all report scripts will be executed in a separate web application where the restrictions are enabled.

To implement this approach, consider the following.

  • You can configure authentication to allow only authenticated users to access your backend. To do that, use the AuthorizeAttribute in the web document viewer controller’s code.
  • Deny access to DevExpress HTTP handlers that are used by our Reporting components in the main application’s configuration file.

Please consider the following issues that are specific to DevExpress Reporting extensions.

|

Web Report Designer

|

  • You are required to register a custom report storage both in the main and backend applications.
  • Although you can pass a report instance to the Web Report Designer from the main application, the report’s scripts will be executed on a backend.

| |

HTML5 Document Viewer

|

  • It is not possible to pass a report instance to the HTML5 Document Viewer other than using the client-side OpenReport method.

|

See Also

Scripts - Security Considerations