From 56a240c654623549ca51aee044c649b709846953 Mon Sep 17 00:00:00 2001
From: Matt Connew <mconnew@users.noreply.github.com>
Date: Wed, 27 Aug 2025 15:50:14 -0700
Subject: [PATCH] Add warning about using untrusted input with
 ServiceDescriptionImporter

---
 .../ServiceDescriptionImporter.xml                             | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/xml/System.Web.Services.Description/ServiceDescriptionImporter.xml b/xml/System.Web.Services.Description/ServiceDescriptionImporter.xml
index 0a2c9f937fa..e75e7243654 100644
--- a/xml/System.Web.Services.Description/ServiceDescriptionImporter.xml
+++ b/xml/System.Web.Services.Description/ServiceDescriptionImporter.xml
@@ -27,6 +27,9 @@
  The <xref:System.Web.Services.Description.ServiceDescriptionImporter> class allows you to easily import the information contained in a WSDL description into a <xref:System.CodeDom.CodeCompileUnit?displayProperty=nameWithType> object. By adjusting the value of the <xref:System.Web.Services.Description.ServiceDescriptionImporter.Style%2A> parameter, you can instruct a <xref:System.Web.Services.Description.ServiceDescriptionImporter> instance either to generate a client proxy class that provides the functionality of the Web service by transparently calling it or to generate an abstract class that encapsulates the functionality of the Web service without implementing it.  
   
  The code in the resulting <xref:System.CodeDom.CodeCompileUnit> object can then either be called directly or exported in the language of your choice.  
+ 
+ > [!IMPORTANT]
+ > Do not use <xref:System.Web.Services.Description.ServiceDescriptionImporter> with untrusted input. Importing a <xref:System.Web.Services.Description.ServiceDescription> from untrusted sources can result in code generation that accesses arbitrary URLs or instantiates arbitrary .NET types, potentially leading to security vulnerabilities.