Programming Microsoft ASP.NET 4 - Dino Esposito [191]
By default, nonprogrammatic access to .sitemap files is protected and results in a forbidden resource ASP.NET exception. Be aware of this, if you plan to replace the default site map configuration and use files with a custom extension. In this case, make sure you explicitly prohibit access to these files through IIS. To further improve security, grant NETWORK SERVICE or ASPNET—the ASP.NET runtime accounts—read-only access to these custom site map files. If you store site maps in a database, configure any involved tables to make them accessible to the smallest number of accounts with the least possible set of privileges.
Note
An excessively large site map file can use a lot of memory and CPU. Aside from a possible performance hit, this situation configures a potential security risk in a hosted environment. By restricting the size of site maps for a Web site, you better protect your site against denial-of-service attacks.
Localizing Site Map Information
... Localizing site map properties consists of binding properties with $Resources expressions. You can explicitly bind the attribute to a global resource or have it implicitly associated with a value that results from a local resource key. Here’s an example of explicit expressions: title="$Resources:MyLocalizations,HomePage" /> ... An explicit expression is a $Resources expression that points to a global .resx file and extracts a value by name from there. If the MyLocalizations.resx file contains an entry named HomePage, the value will be read and assigned to the attribute. If it isn’t there, an implicit expression takes over. An implicit expression takes values out of a local resource file. The localizable [resourceKey].[Attribute] The following site map snippet shows how to use implicit expressions: url="~/homepage.aspx" description="default" title="default" /> ... In this case, the resource file has the same name of the .sitemap file plus the .resx extension. In the default case, it will be web.sitemap.resx. This file is expected to contain entries named Home.description and Home.title. If these exist, their values will be used to determine the value of the title and description attributes. In the case of implicit expressions, the values that localizable attributes might have in the .sitemap file are considered default values to be used in case of trouble with the localized resource files. Note A .resx file contains resource values for the default culture. To specify resources for a particular language and culture (say, French), you have to change the extension to fr.resx because fr is the identifier of the French culture. Similar prefixes exist for most of the languages and cultures. Localizing the Site Navigation Structure
There are a few properties that you can localize in a site map. They are Title, Description, and all custom properties. You can use an explicit or implicit expression to localize the property. First of all, though, you should enable localization by adding a Boolean attribute to the
What if you want to adapt the navigation structure to a given locale? Unfortunately, the Url property cannot be localized in a site map in the same way as the Title and Description properties. If you want to change URLs, or perhaps change the structure of the site, you create a distinct site map for each