Use XmlReader for XPathDocument

Processing XML from untrusted data may load dangerous external references, which can be restricted by using an XmlReader with a secure resolver or with DTD processing disabled. This rule detects code that uses the XPathDocument class and doesn’t take XmlReader as a constructor parameter.

Using the XPathDocument class instantiated without an XmlReader object can potentially lead to denial of service, information disclosure, and server-side request forgery attacks. These attacks are enabled by untrusted DTD and XML schema processing, which allows for the inclusion of XML bombs and malicious external entities in the XML. Only with XmlReader is it possible to disable DTD. Inline XML schema processing as XmlReader has the ProhibitDtd and ProcessInlineSchema property set to false by default in .NET Framework starting in version 4.0. The other options such as Stream, TextReader, and XmlSerializationReader cannot disable DTD processing.

Use XPathDocument(XmlReader, *) constructors.

You can potentially suppress this warning if the XPathDocument object is used to process an XML file that comes from a trusted source and hence cannot be tampered with.