How can i define that the content of the emailaddress-element has to be unquie compared to all other emailaddresses entered inside the users-tag?
<?xml version="1.0" encoding="UTF-8"?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema">
<xs:element name="users">
<xs:sequence>
<xs:element name="user">
<xs:element name="name" type="xs:string" />
<xs:element name="emailaddress" type="xs:string" />
</xs:element>
</xs:sequence>
</xs:element>
I think this is what you are after:
<?xml version="1.0" encoding="UTF-8"?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema">
<xs:element name="users">
<xs:complexType>
<xs:sequence maxOccurs="unbounded">
<xs:element name="user">
<xs:complexType>
<xs:sequence>
<xs:element name="name" type="xs:string"/>
<xs:element name="emailaddress" type="xs:string"/>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
<!-- Make sure each user has a unique email address -->
<xs:unique name="email-address-is-unique">
<xs:selector xpath="user"/>
<xs:field xpath="emailaddress"/>
</xs:unique>
</xs:element>
</xs:schema>
I also took the liberty of adding omitted elements from your original schema for completeness.
So the xpath attribute of the selector element defines the elements that are being used by the uniqueness constraint, then the field element(s) have xpaths which determine what needs to be unique across the selected elements.
You use the <xs:unique> tag as described here
Related
We have comments from security team:
For: _vti_bin/copy.asmx
Implications
Processing XML documents can be computationally expensive. Attackers may take advantage of schemas that allow unbounded elements by supplying an application with a very large number elements causing the application to exhaust system resources.
The following is an example of a schema that allows unbounded bar elements.
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" >
<xs:element name="foo" >
<xs:complexType>
<xs:sequence>
<xs:element name="bar" maxOccurs="unbounded" />
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema>
Recommendations
Limit maxOccurs to a reasonable number.
The following is an example of a schema that allows 50 bar elements.
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" >
<xs:element name="foo" >
<xs:complexType>
<xs:sequence>
<xs:element name="bar" maxOccurs="50" />
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema>
For: _vti_bin/lists.asmx
Implications
The element means arbitrary tags can be included in a valid document. Permitting arbitrary content makes it easier for attackers to perform attacks like XML injection.
Example 1: Imagine you are using the following schema for validation.
<?xml version="1.0"?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema">
<xs:element name="cart" >
<xs:complexType>
<xs:sequence>
<xs:element name="itemID" maxOccurs="1" />
<xs:element name="price" maxOccurs="1" />
<xs:element name="description" maxOccurs="1"/>
<xs:any minOccurs="0"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="description" type="xs:string"/>
<xs:element name="name" type="xs:string"/>
<xs:element name="price" type="xs:decimal"/>
<xs:element name="code" type="xs:string"/>
</xs:schema>
Since this schema uses the element, the following XML documentation will be considered valid.
<?xml version=\"1.0\" ?>
<cart>
<itemID>123</itemID>
<price>50.00</price>
<price>1.0</price>
</cart>
This is especially dangerous when using SAX parsers since later nodes will overwrite previous nodes.
Recommendations
Explicitly define permissible elements instead of using the element.
Example 2: In order to fix Example 1, replace the element with a concretely defined element such as .
<?xml version="1.0"?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema">
<xs:element name="cart" >
<xs:complexType>
<xs:sequence>
<xs:element name="itemID" maxOccurs="1" />
<xs:element name="price" maxOccurs="1" />
<xs:element name="description" maxOccurs="1"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="description" type="xs:string"/>
<xs:element name="name" type="xs:string"/>
<xs:element name="price" type="xs:decimal"/>
<xs:element name="code" type="xs:string"/>
</xs:schema>
Could we update those 2 files as suggestions from security team?
I have an XSD to validate an XML file. The structure is as follows:
<root>
<child>
<size>2</size>
<childElement>Element 1</childElement>
<childElement>Element 2</childElement>
</child>
</root>
The number of childElements is dependent on the size provided i.e. if size was set as 3, not more than 3 childElements can be added.
I have tried using xs:alternative but it does not seem to work:
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema">
<xs:element name="root">
<xs:complexType>
<xs:sequence>
<xs:element name="child" minOccurs="1" maxOccurs="unbounded">
<xs:complexType>
<xs:sequence>
<xs:element name="size" type="xs:integer" maxOccurs="1"/>
<xs:element name="childElement" type="xs:string" maxOccurs="1">
<xs:alternative test="#size>1" maxOccurs="#size"/>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema>
Is there a way of using xs:alternative or another tag to achieve this, or is this outside the realm of possibility with XSD?
Design recommendation: If your XML design can still be changed, eliminate the size element and convey that information implicitly rather than explicitly. By eliminating the duplication of information, you'll not need to check that the duplication is consistent.
If your XML design cannot still be changed, or if you choose not to change it...
XSD 1.0
Not possible. Would have to be checked out-of-band wrt XSD.
XSD 1.1
Possible using xs:assert:
<?xml version="1.0" encoding="UTF-8"?>
<xs:schema attributeFormDefault="unqualified"
elementFormDefault="qualified"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:vc="http://www.w3.org/2007/XMLSchema-versioning"
vc:minVersion="1.1">
<xs:element name="root">
<xs:complexType>
<xs:sequence>
<xs:element name="child">
<xs:complexType>
<xs:sequence>
<xs:element name="size" type="xs:integer"/>
<xs:element name="childElement" maxOccurs="unbounded"/>
</xs:sequence>
<xs:assert test="count(childElement) = size"/>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema>
I want to model a container that has a list of references by id in enterprise architect.
A xsd is generated from that model.
<?xml version="1.0" encoding="utf-8"?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema">
<xs:element name="Container" type="Container"/>
<xs:complexType name="Container">
<xs:sequence>
<xs:element name="Element" type="Element" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:element name="Element" type="Element"/>
<xs:complexType name="Element">
<xs:sequence>
<xs:element name="Identifier" type="xs:ID" minOccurs="1" maxOccurs="1"/>
<xs:element name="Name" type="xs:string" minOccurs="1" maxOccurs="1"/>
</xs:sequence>
</xs:complexType>
</xs:schema>
Is it possible to find settings so such that a list of Id is generated?
(Not a list of full instances like it is now)
Here are the settings of the aggregation:
The goal is to have a list of ID in the container generated from the association and have the possibility to generate java code from the xsd that has a list of element, not ID.
<?xml version="1.0" encoding="utf-8"?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema">
<xs:element name="Container" type="Container"/>
<xs:complexType name="Container">
<xs:sequence>
<xs:element name="ElementRef" type="xs:IDREF" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:element name="Element" type="Element"/>
<xs:complexType name="Element">
<xs:sequence>
<xs:element name="Identifier" type="xs:ID" minOccurs="1" maxOccurs="1"/>
<xs:element name="Name" type="xs:string" minOccurs="1" maxOccurs="1"/>
</xs:sequence>
</xs:complexType>
</xs:schema>
So, the XSD shall have a list of IDREF, so that the java code generated from that shall have either a list of Identifiers or even better a list of Element.
Edit: added example of target xsd.
I wanted to know the proper way to do an xsd as certain nodes in my xsd may be reused in other xsd's. Like in Search Item request I will use
<xs:element name="Item">
<xs:complexType>
<xs:sequence>
<xs:element name="Name" type="xs:string"/>
<xs:element name="Price" type="xs:double"/>
<xs:element name="SupplierCode" type="xs:string"/>
<xs:element name="Supplier" type="xs:string"/>
<xs:element name="SupplierName" type="xs:string"/>
<xs:element name="Manufacturer" type="xs:string"/>
<xs:element ref="CustomerReviews" minOccurs="0"/>
</xs:sequence>
<xs:attribute name="model" type="xs:string" use="required"/>
<xs:attribute name="href" type="xs:string" use="required"/>
</xs:complexType>
</xs:element>
then I might need to use it in another xsd.
So should I repeat it or make a xsd with it in it and reference it?
My Current xsd with include
<?xml version="1.0" encoding="UTF-8"?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ns1="http://www.itwholesaledeluxe.com" targetNamespace="http://www.itwholesaledeluxe.com" elementFormDefault="qualified" attributeFormDefault="unqualified">
<xs:include schemaLocation="Item.xsd"/>
<xs:element name="Search-Item-Request">
<xs:complexType>
<xs:sequence>
<xs:element name="Items">
<xs:complexType>
<xs:sequence>
<xs:element name="Item" type="Item"/>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema>
Then the item xsd partially since its too big to post
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" attributeFormDefault="unqualified" targetNamespace="http://www.itwholesaledeluxe.com">
<xs:complexType name="Item">
<xs:sequence>
<xs:element name="Name">
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:maxLength value="50"/>
</xs:restriction>
</xs:simpleType>
</xs:element>
</sequence>
</complexType>
</xs:schema>
follow DRY: If it's the same object (in the same namespace): make an xsd and reference it.
That way, if the object is altered at some point, you only need to make your changes once. Also, any code generated for this object only needs to be generated once.
Use the following xsd's as a reference:
Main.xsd:
<?xml version="1.0" encoding="UTF-8"?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:ns1="http://www.itwholesaledeluxe.com" targetNamespace="http://www.itwholesaledeluxe.com"
elementFormDefault="qualified" attributeFormDefault="unqualified">
<xs:include schemaLocation="Item.xsd" />
<xs:element name="Search-Item-Request">
<xs:complexType>
<xs:sequence>
<xs:element name="Items">
<xs:complexType>
<xs:sequence>
<xs:element name="Item" type="ns1:Item" />
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema>
Item.xsd:
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"
elementFormDefault="qualified" attributeFormDefault="unqualified"
targetNamespace="http://www.itwholesaledeluxe.com">
<xs:complexType name="Item">
<xs:sequence>
<xs:element name="Name">
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:maxLength value="50" />
</xs:restriction>
</xs:simpleType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:schema>
is it possible to override the minOccurs/maxOccurs attributes of an element in the parent xsd? we can easily extend the parent xsd and create a new xsd with different namespace, but am trying to override with same parent namespace.
Lets say we have an xsd
<?xml version="1.0" encoding="UTF-8"?>
<xs:schema
xmlns:cust="http://test.com/schema/cust" xmlns:xs="http://www.w3.org/2001/XMLSchema" targetNamespace="http://test.com/schema/cust" elementFormDefault="qualified" attributeFormDefault="unqualified">
<xs:complexType name="customer-type">
<xs:sequence>
<xs:element name="firstname" type="xs:string"/>
<xs:element name="lastname" type="xs:string"/>
<xs:element name="hobby" type="xs:string" minOccurs="0" maxOccurs="unbounded" />
</xs:sequence>
</xs:complexType>
<xs:element name="customer" type="cust:customer-type"/>
</xs:schema>
can i create extension/restriction of above xsd with same namespace which will restrict/change the <cust:hobby> minOccurs to be 1?
Okay, i was complicating the solution. Before this i was trying to use override function in xml 1.0 which is available only from xml 1.1.
A simple redefine would do the trick:
If the name of your base xsd is cust.xsd then the below redefinition overrides the minOccurs of "hobby" element to 1.
<?xml version="1.0" encoding="UTF-8"?>
<xs:schema
xmlns:cust="http://test.com/schema/cust" xmlns:xs="http://www.w3.org/2001/XMLSchema" targetNamespace="http://test.com/schema/cust" elementFormDefault="qualified" attributeFormDefault="unqualified">
<xs:redefine schemaLocation="cust.xsd">
<xs:complexType name="customer-type">
<xs:complexContent>
<xs:restriction base="cust:customer-type">
<xs:sequence>
<xs:element name="firstname" type="xs:string"/>
<xs:element name="lastname" type="xs:string"/>
<xs:element name="hobby" type="xs:string" minOccurs="1" maxOccurs="unbounded" />
</xs:sequence>
</xs:restriction>
</xs:complexContent>
</xs:complexType>
</xs:redefine>
</xs:schema>