From 7340ef7cef9762be708ea310bb14e59bd21c560b Mon Sep 17 00:00:00 2001 From: Rick Anderson Date: Wed, 22 Jul 2020 13:53:09 -1000 Subject: [PATCH 1/7] Security update for JavaScriptTypeResolver and SimpleTypeResolver --- .../SimpleTypeResolver.xml | 120 ++---------------- 1 file changed, 12 insertions(+), 108 deletions(-) diff --git a/xml/System.Web.Script.Serialization/SimpleTypeResolver.xml b/xml/System.Web.Script.Serialization/SimpleTypeResolver.xml index 10dc1391299..ce0c493d4da 100644 --- a/xml/System.Web.Script.Serialization/SimpleTypeResolver.xml +++ b/xml/System.Web.Script.Serialization/SimpleTypeResolver.xml @@ -20,111 +20,15 @@ class to include in the serialized JavaScript Object Notation (JSON) string the assembly-qualified name of any managed type that requires custom type metadata. - - The class enables you to serialize managed types as JSON while retaining the managed type definition for custom types. - - To create an instance of the class that uses a type resolver, you must use the constructor. - - - -## Examples - The following example demonstrates how to use the class and shows the resulting serialized strings by using different type resolvers. - - [!code-aspx-csharp[System.Web.Script.Serialization.TypeResolver#1](~/samples/snippets/csharp/VS_Snippets_Atlas/System.Web.Script.Serialization.TypeResolver/CS/Default.aspx#1)] - [!code-aspx-vb[System.Web.Script.Serialization.TypeResolver#1](~/samples/snippets/visualbasic/VS_Snippets_Atlas/System.Web.Script.Serialization.TypeResolver/VB/Default.aspx#1)] - - ]]> - - - Web Services in ASP.NET AJAX - - - - - - - - - Constructor - - System.Web.Extensions - 3.5.0.0 - 4.0.0.0 - - - - [System.Runtime.TargetedPatchingOptOut("Performance critical to inline this type of method across NGen image boundaries")] - [<System.Runtime.TargetedPatchingOptOut("Performance critical to inline this type of method across NGen image boundaries")>] - - - - - Initializes a new instance of the class. - To be added. - - - - - - - - - - Method - - System.Web.Extensions - 3.5.0.0 - 4.0.0.0 - - - System.Type - - - - - - The assembly-qualified name of the managed type. - Returns the of the specified name. - A object that has the specified name, if found; otherwise, . - - method calls the method to resolve the type. - - ]]> - - - - - - - - - - - Method - - System.Web.Extensions - 3.5.0.0 - 4.0.0.0 - - - System.String - - - - - - The type to be resolved. - Returns the assembly-qualified name of the specified . - A string that contains the assembly-qualified name of the specified type. - To be added. - - is . - - - - - + +> [!WARNING] +> The `SimpleTypeResolver` class is insecure and should not be used. Using `SimpleTypeResolver` to deserialize JSON could allow the remote client to execute malicious code within the app and take control of the web server. + +See the [JavaScriptTypeResolver class documentation](/dotnet/api/system.web.script.serialization.javascripttyperesolver) for a sample which demonstrates using a custom `JavaScriptTypeResolver` safely. + +.NET provides source analyzers to provide alerts to usage of the dangerous `SimpleTypeResolver` type. See ["Overview of source code analyzers"](/visualstudio/code-quality/roslyn-analyzers-overview) for more information on source analyzers. For instructions on installing the source analyzers, see ["Install .NET Compiler Platform code analyzers"](/visualstudio/code-quality/install-roslyn-analyzers). + +When the source analyzers package is activated in a project, references to `SimpleTypeResolver` produce one of the following compiler warnings: + +- [CA2321: Do not deserialize with JavaScriptSerializer using a SimpleTypeResolver](/visualstudio/code-quality/ca2321) +- [CA2322: Ensure JavaScriptSerializer is not initialized with SimpleTypeResolver before deserializing](/visualstudio/code-quality/ca2322) From a5c36537fc19f3a21ad60329027ebd60db6183ca Mon Sep 17 00:00:00 2001 From: Rick Anderson Date: Wed, 22 Jul 2020 14:43:52 -1000 Subject: [PATCH 2/7] Security update for JavaScriptTypeResolver and SimpleTypeResolver --- .../SimpleTypeResolver.xml | 97 +++++++++++++++++++ 1 file changed, 97 insertions(+) diff --git a/xml/System.Web.Script.Serialization/SimpleTypeResolver.xml b/xml/System.Web.Script.Serialization/SimpleTypeResolver.xml index ce0c493d4da..59d990e1265 100644 --- a/xml/System.Web.Script.Serialization/SimpleTypeResolver.xml +++ b/xml/System.Web.Script.Serialization/SimpleTypeResolver.xml @@ -32,3 +32,100 @@ When the source analyzers package is activated in a project, references to `Simp - [CA2321: Do not deserialize with JavaScriptSerializer using a SimpleTypeResolver](/visualstudio/code-quality/ca2321) - [CA2322: Ensure JavaScriptSerializer is not initialized with SimpleTypeResolver before deserializing](/visualstudio/code-quality/ca2322) + +## Examples + + ]]> + + + Web Services in ASP.NET AJAX + + + + + + + + + Constructor + + System.Web.Extensions + 3.5.0.0 + 4.0.0.0 + + + + [System.Runtime.TargetedPatchingOptOut("Performance critical to inline this type of method across NGen image boundaries")] + [<System.Runtime.TargetedPatchingOptOut("Performance critical to inline this type of method across NGen image boundaries")>] + + + + + Initializes a new instance of the class. + To be added. + + + + + + + + + + Method + + System.Web.Extensions + 3.5.0.0 + 4.0.0.0 + + + System.Type + + + + + + The assembly-qualified name of the managed type. + Returns the of the specified name. + A object that has the specified name, if found; otherwise, . + + method calls the method to resolve the type. + + ]]> + + + + + + + + + + + Method + + System.Web.Extensions + 3.5.0.0 + 4.0.0.0 + + + System.String + + + + + + The type to be resolved. + Returns the assembly-qualified name of the specified . + A string that contains the assembly-qualified name of the specified type. + To be added. + + is . + + + + + \ No newline at end of file From 74331c80e1d6abe7d7f1764d26d67b25d9cb6196 Mon Sep 17 00:00:00 2001 From: Rick Anderson Date: Wed, 22 Jul 2020 15:15:31 -1000 Subject: [PATCH 3/7] cleanup --- .../JavaScriptTypeResolver.xml | 238 +++++++++++++++++- 1 file changed, 230 insertions(+), 8 deletions(-) diff --git a/xml/System.Web.Script.Serialization/JavaScriptTypeResolver.xml b/xml/System.Web.Script.Serialization/JavaScriptTypeResolver.xml index 7085c38a1c5..0dcf64e5a9f 100644 --- a/xml/System.Web.Script.Serialization/JavaScriptTypeResolver.xml +++ b/xml/System.Web.Script.Serialization/JavaScriptTypeResolver.xml @@ -31,14 +31,233 @@ If you provide a type resolver to the instance, the serializer will use the and methods to map between the managed type and the string value during the serialization and deserialization process, respectively. The class is the base class for the class, which provides an implementation of a type resolver that uses the managed type assembly-qualified name. - - - + ## Examples - The following example demonstrates how to create a custom type resolver. - - [!code-csharp[System.Web.Script.Serialization.TypeResolver#2](~/samples/snippets/csharp/VS_Snippets_Atlas/System.Web.Script.Serialization.TypeResolver/CS/App_Code/TypeResolver.cs#2)] - [!code-vb[System.Web.Script.Serialization.TypeResolver#2](~/samples/snippets/visualbasic/VS_Snippets_Atlas/System.Web.Script.Serialization.TypeResolver/VB/App_Code/TypeResolver.vb#2)] + +The following example shows how to create a custom `JavaScriptTypeResolver` and how to use it to serialize or deserialize an object. + +```cs +using System; +using System.Linq; +using System.Web.Script.Serialization; + +namespace SampleApp +{ + class Program + { + static void Main(string[] args) + { + // The object array to serialize. + Person[] people = new Person[] + { + new Person() + { + Name = "Kristen Solstad", + Age = 15, + HomeAddress = new Address() + { + Street1 = "123 Palm Ave", + City = "Some City", + StateOrProvince = "ST", + Country = "United States", + PostalCode = "00000" + } + }, + new Adult() + { + Name = "Alex Johnson", + Age = 39, + Occupation = "Mechanic", + HomeAddress = new Address() + { + Street1 = "445 Lorry Way", + Street2 = "Unit 3A", + City = "Some City", + Country = "United Kingdom", + PostalCode = "AA0 A00" + } + } + }; + + // Serialize the object array, then write it to the console. + string serializedData = SerializePeopleArray(people); + Console.WriteLine("Serialized:"); + Console.WriteLine(serializedData); + Console.WriteLine(); + + // Now deserialize the object array. + Person[] deserializedArray = DeserializePeopleArray(serializedData); + Console.WriteLine("Deserialized " + deserializedArray.Length + " people."); + foreach (Person person in deserializedArray) + { + Console.WriteLine(person.Name + " (Age " + person.Age + ") [" + person.GetType() + "]"); + } + } + + static string SerializePeopleArray(Person[] people) + { + // The custom type resolver to use. + // Note: Except for primitives like int and string, *every* type that + // we might see in the object graph must be listed here. + CustomTypeResolver resolver = new CustomTypeResolver( + typeof(Person), + typeof(Adult), + typeof(Address)); + + // Instantiate the serializer + JavaScriptSerializer serializer = new JavaScriptSerializer(resolver); + + // Serialize the object array, then return it. + string serialized = serializer.Serialize(people); + return serialized; + } + + static Person[] DeserializePeopleArray(string serializedData) + { + // The custom type resolver to use. + // Note: This is the same list that was provided to the Serialize routine. + CustomTypeResolver resolver = new CustomTypeResolver( + typeof(Person), + typeof(Adult), + typeof(Address)); + + // Instantiate the serializer. + JavaScriptSerializer serializer = new JavaScriptSerializer(resolver); + + // Deserialize the object array, then return it. + Person[] deserialized = serializer.Deserialize(serializedData); + return deserialized; + } + } + + public class Person + { + public string Name { get; set; } + public int Age { get; set; } + public Address HomeAddress { get; set; } + } + + public class Adult : Person + { + public string Occupation { get; set; } + } + + public class Address + { + public string Street1 { get; set; } + public string Street2 { get; set; } + public string City { get; set; } + public string StateOrProvince { get; set; } + public string Country { get; set; } + public string PostalCode { get; set; } + } + + // A custom JavaScriptTypeResolver that restricts the payload. + // to a set of known good types. + class CustomTypeResolver : JavaScriptTypeResolver + { + private readonly Type[] _allowedTypes; + + public CustomTypeResolver(params Type[] allowedTypes) + { + if (allowedTypes == null) + { + throw new ArgumentNullException("allowedTypes"); + } + + // Make a copy of the array the caller gave us. + _allowedTypes = (Type[])allowedTypes.Clone(); + } + + public override Type ResolveType(string id) + { + // Iterate over all of the allowed types, looking for a match + // for the 'id' parameter. n.b. calling Type.GetType(id) is dangerous, + // so we instead perform a match on the Type.FullName property. + foreach (Type allowedType in _allowedTypes) + { + if (allowedType.FullName == id) + { + return allowedType; + } + } + + // The caller provided a type we don't recognize. This could be + // dangerous, so we'll fail the operation immediately. + throw new ArgumentException("Unknown type: " + id, "id"); + } + + public override string ResolveTypeId(Type type) + { + // Before we serialize data, quickly double-check to make + // sure we're allowed to deserialize the data. Otherwise it's + // no good serializing something if we can't deserialize it. + if (_allowedTypes.Contains(type)) + { + return type.FullName; + } + + throw new InvalidOperationException("Cannot serialize an object of type " + type + ". Did you forget to add it to the allow list?"); + } + } +} +``` + +The preceding app outputs the following to the console, formatted for readability. + +```txt +Serialized: +[ + { + "__type": "SampleApp.Person", + "Name": "Kristen Solstad", + "Age": 15, + "HomeAddress": { + "__type": "SampleApp.Address", + "Street1": "123 Palm Ave", + "Street2": null, + "City": "Some City", + "StateOrProvince": "ST", + "Country": "United States", + "PostalCode": "00000" + } + }, + { + "__type": "SampleApp.Adult", + "Occupation": "Mechanic", + "Name": "Alex Johnson", + "Age": 39, + "HomeAddress": { + "__type": "SampleApp.Address", + "Street1": "445 Lorry Way", + "Street2": "Unit 3A", + "City": "Some City", + "StateOrProvince": null, + "Country": "United Kingdom", + "PostalCode": "AA0 A00" + } + } +] + +Deserialized 2 people. +Kristen Solstad (Age 15) [SampleApp.Person] +Alex Johnson (Age 39) [SampleApp.Adult] +``` + +In the preceding sample, the `Adult` type subclasses the `Person` type. A custom `JavaScriptTypeResolver` is used to include the type information as part of the generated JSON payload. This allows limited polymorphism when deserializing the JSON payload back into a .NET object graph. The payload can control whether to return a base `Person` instance or a derived `Adult` instance back to the caller. + +This sample is safe because it uses an `allow-list` mechanism to control deserialization. The code: + +* Initializes the `CustomTypeResolver` with an explicit list of allowed types. +* Restricted the deserialization process to only that approved list of types. This prevents [deserialization attacks](https://owasp.org/www-community/vulnerabilities/Deserialization_of_untrusted_data), where the remote client specifies a malicious `__type` in the JSON payload and tricks the server into deserializing a dangerous type. + +Even though the app only expects `Person` and `Adult` instances to be deserialized as part of the top-level array, it's still necessary to add `Address` to the allow-list because: + +* Serializing a `Person` or `Adult` also serializes an `Address` as part of the object graph. +* All types that might be present in the object graph need to be accounted for in the allow list.Primitives like `int` and `string` do not need to be specified.) + +> [!WARNING] +> Do not call `Type.GetType(id)` within the `ResolveType` method. This could introduce a security vunerability into the app. Instead, iterate through the list of allowed types, comparing their `Type.FullName` property against the incoming `id`, as shown in the preceding sample: ]]> @@ -99,7 +318,10 @@ ## Remarks When a type resolver is associated with a instance, the serializer uses the method when it iterates through a JSON string to determine the specific managed type to which the JSON type should be converted. - + +> [!NOTE] +> When using a `JavaScriptTypeResolver`, the resulting JSON payload contains a special `__type` property. This property includes the full type name, including namespace, of the target type. Before using a custom resolver, verify that the full name of the target type does not contain sensitive or privileged information. + ]]> From 34c720336850af9fffa07529f6a3cb58dac3a7a1 Mon Sep 17 00:00:00 2001 From: Rick Anderson Date: Wed, 22 Jul 2020 16:49:34 -1000 Subject: [PATCH 4/7] cleanup --- .../JavaScriptTypeResolver.xml | 6 +++--- xml/System.Web.Script.Serialization/SimpleTypeResolver.xml | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/xml/System.Web.Script.Serialization/JavaScriptTypeResolver.xml b/xml/System.Web.Script.Serialization/JavaScriptTypeResolver.xml index 0dcf64e5a9f..1c166e9eec4 100644 --- a/xml/System.Web.Script.Serialization/JavaScriptTypeResolver.xml +++ b/xml/System.Web.Script.Serialization/JavaScriptTypeResolver.xml @@ -32,6 +32,9 @@ The class is the base class for the class, which provides an implementation of a type resolver that uses the managed type assembly-qualified name. +> [!NOTE] +> When using a `JavaScriptTypeResolver`, the resulting JSON payload contains a special `__type` property. This property includes the full type name, including namespace, of the target type. Before using a custom resolver, verify that the full name of the target type does not contain sensitive or privileged information. + ## Examples The following example shows how to create a custom `JavaScriptTypeResolver` and how to use it to serialize or deserialize an object. @@ -319,9 +322,6 @@ Even though the app only expects `Person` and `Adult` instances to be deserializ ## Remarks When a type resolver is associated with a instance, the serializer uses the method when it iterates through a JSON string to determine the specific managed type to which the JSON type should be converted. -> [!NOTE] -> When using a `JavaScriptTypeResolver`, the resulting JSON payload contains a special `__type` property. This property includes the full type name, including namespace, of the target type. Before using a custom resolver, verify that the full name of the target type does not contain sensitive or privileged information. - ]]> diff --git a/xml/System.Web.Script.Serialization/SimpleTypeResolver.xml b/xml/System.Web.Script.Serialization/SimpleTypeResolver.xml index 59d990e1265..0bdaa0f036a 100644 --- a/xml/System.Web.Script.Serialization/SimpleTypeResolver.xml +++ b/xml/System.Web.Script.Serialization/SimpleTypeResolver.xml @@ -15,7 +15,7 @@ - Provides a type resolver for managed types. + Provides an insecure type resolver for managed types. [!WARNING] > The `SimpleTypeResolver` class is insecure and should not be used. Using `SimpleTypeResolver` to deserialize JSON could allow the remote client to execute malicious code within the app and take control of the web server. -See the [JavaScriptTypeResolver class documentation](/dotnet/api/system.web.script.serialization.javascripttyperesolver) for a sample which demonstrates using a custom `JavaScriptTypeResolver` safely. +See [JavaScriptTypeResolver](/dotnet/api/system.web.script.serialization.javascripttyperesolver) for a sample which demonstrates using a custom `JavaScriptTypeResolver` safely. -.NET provides source analyzers to provide alerts to usage of the dangerous `SimpleTypeResolver` type. See ["Overview of source code analyzers"](/visualstudio/code-quality/roslyn-analyzers-overview) for more information on source analyzers. For instructions on installing the source analyzers, see ["Install .NET Compiler Platform code analyzers"](/visualstudio/code-quality/install-roslyn-analyzers). +.NET provides source analyzers to provide alerts to usage of the dangerous `SimpleTypeResolver` type. See [Overview of source code analyzers](/visualstudio/code-quality/roslyn-analyzers-overview) for more information on source analyzers. For instructions on installing the source analyzers, see [Install .NET Compiler Platform code analyzers](/visualstudio/code-quality/install-roslyn-analyzers). When the source analyzers package is activated in a project, references to `SimpleTypeResolver` produce one of the following compiler warnings: From e73f3b1ef753f870ade46b106036a78c474e9272 Mon Sep 17 00:00:00 2001 From: Rick Anderson Date: Thu, 23 Jul 2020 15:47:25 -1000 Subject: [PATCH 5/7] cleanup --- .../JavaScriptTypeResolver.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/xml/System.Web.Script.Serialization/JavaScriptTypeResolver.xml b/xml/System.Web.Script.Serialization/JavaScriptTypeResolver.xml index 1c166e9eec4..9ae446d7e8d 100644 --- a/xml/System.Web.Script.Serialization/JavaScriptTypeResolver.xml +++ b/xml/System.Web.Script.Serialization/JavaScriptTypeResolver.xml @@ -252,12 +252,12 @@ In the preceding sample, the `Adult` type subclasses the `Person` type. A custom This sample is safe because it uses an `allow-list` mechanism to control deserialization. The code: * Initializes the `CustomTypeResolver` with an explicit list of allowed types. -* Restricted the deserialization process to only that approved list of types. This prevents [deserialization attacks](https://owasp.org/www-community/vulnerabilities/Deserialization_of_untrusted_data), where the remote client specifies a malicious `__type` in the JSON payload and tricks the server into deserializing a dangerous type. +* Restricts the deserialization process to only approved list of types. The restriction prevents [deserialization attacks](https://owasp.org/www-community/vulnerabilities/Deserialization_of_untrusted_data), where the remote client specifies a malicious `__type` in the JSON payload and tricks the server into deserializing a dangerous type. Even though the app only expects `Person` and `Adult` instances to be deserialized as part of the top-level array, it's still necessary to add `Address` to the allow-list because: * Serializing a `Person` or `Adult` also serializes an `Address` as part of the object graph. -* All types that might be present in the object graph need to be accounted for in the allow list.Primitives like `int` and `string` do not need to be specified.) +* All types that might be present in the object graph need to be accounted for in the allow list. Primitives like `int` and `string` do not need to be specified. > [!WARNING] > Do not call `Type.GetType(id)` within the `ResolveType` method. This could introduce a security vunerability into the app. Instead, iterate through the list of allowed types, comparing their `Type.FullName` property against the incoming `id`, as shown in the preceding sample: From 0d312d436f6eff60fa0d13762837ec527804033c Mon Sep 17 00:00:00 2001 From: Rick Anderson <3605364+Rick-Anderson@users.noreply.github.com> Date: Fri, 24 Jul 2020 08:53:38 -1000 Subject: [PATCH 6/7] Apply suggestions from code review Co-authored-by: Genevieve Warren <24882762+gewarren@users.noreply.github.com> --- .../JavaScriptTypeResolver.xml | 6 +++--- .../SimpleTypeResolver.xml | 8 ++++---- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/xml/System.Web.Script.Serialization/JavaScriptTypeResolver.xml b/xml/System.Web.Script.Serialization/JavaScriptTypeResolver.xml index 9ae446d7e8d..e1a04eb9dda 100644 --- a/xml/System.Web.Script.Serialization/JavaScriptTypeResolver.xml +++ b/xml/System.Web.Script.Serialization/JavaScriptTypeResolver.xml @@ -107,7 +107,7 @@ namespace SampleApp typeof(Adult), typeof(Address)); - // Instantiate the serializer + // Instantiate the serializer. JavaScriptSerializer serializer = new JavaScriptSerializer(resolver); // Serialize the object array, then return it. @@ -155,7 +155,7 @@ namespace SampleApp public string PostalCode { get; set; } } - // A custom JavaScriptTypeResolver that restricts the payload. + // A custom JavaScriptTypeResolver that restricts the payload // to a set of known good types. class CustomTypeResolver : JavaScriptTypeResolver { @@ -260,7 +260,7 @@ Even though the app only expects `Person` and `Adult` instances to be deserializ * All types that might be present in the object graph need to be accounted for in the allow list. Primitives like `int` and `string` do not need to be specified. > [!WARNING] -> Do not call `Type.GetType(id)` within the `ResolveType` method. This could introduce a security vunerability into the app. Instead, iterate through the list of allowed types, comparing their `Type.FullName` property against the incoming `id`, as shown in the preceding sample: +> Do not call `Type.GetType(id)` within the `ResolveType` method. This could introduce a security vunerability into the app. Instead, iterate through the list of allowed types and compare their `Type.FullName` property against the incoming `id`, as shown in the preceding sample. ]]> diff --git a/xml/System.Web.Script.Serialization/SimpleTypeResolver.xml b/xml/System.Web.Script.Serialization/SimpleTypeResolver.xml index 0bdaa0f036a..6ece6a29547 100644 --- a/xml/System.Web.Script.Serialization/SimpleTypeResolver.xml +++ b/xml/System.Web.Script.Serialization/SimpleTypeResolver.xml @@ -24,11 +24,11 @@ > [!WARNING] > The `SimpleTypeResolver` class is insecure and should not be used. Using `SimpleTypeResolver` to deserialize JSON could allow the remote client to execute malicious code within the app and take control of the web server. -See [JavaScriptTypeResolver](/dotnet/api/system.web.script.serialization.javascripttyperesolver) for a sample which demonstrates using a custom `JavaScriptTypeResolver` safely. +For a sample that demonstrates using a custom `JavaScriptTypeResolver` safely, see . -.NET provides source analyzers to provide alerts to usage of the dangerous `SimpleTypeResolver` type. See [Overview of source code analyzers](/visualstudio/code-quality/roslyn-analyzers-overview) for more information on source analyzers. For instructions on installing the source analyzers, see [Install .NET Compiler Platform code analyzers](/visualstudio/code-quality/install-roslyn-analyzers). +.NET provides source analyzers that alert you to usage of the dangerous `SimpleTypeResolver` type. For more information about source analyzers, see [Overview of source code analyzers](/visualstudio/code-quality/roslyn-analyzers-overview). For instructions on installing the source analyzers, see [Install .NET Compiler Platform code analyzers](/visualstudio/code-quality/install-roslyn-analyzers). -When the source analyzers package is activated in a project, references to `SimpleTypeResolver` produce one of the following compiler warnings: +When the source analyzers package is activated in a project, references to `SimpleTypeResolver` produce one of the following compiler warnings: - [CA2321: Do not deserialize with JavaScriptSerializer using a SimpleTypeResolver](/visualstudio/code-quality/ca2321) - [CA2322: Ensure JavaScriptSerializer is not initialized with SimpleTypeResolver before deserializing](/visualstudio/code-quality/ca2322) @@ -128,4 +128,4 @@ When the source analyzers package is activated in a project, references to `Simp - \ No newline at end of file + From 4ab5bea6f683a10340e9bff28d53f661c67d3c42 Mon Sep 17 00:00:00 2001 From: Rick Anderson <3605364+Rick-Anderson@users.noreply.github.com> Date: Fri, 24 Jul 2020 10:20:55 -1000 Subject: [PATCH 7/7] Update xml/System.Web.Script.Serialization/JavaScriptTypeResolver.xml Co-authored-by: Genevieve Warren <24882762+gewarren@users.noreply.github.com> --- xml/System.Web.Script.Serialization/JavaScriptTypeResolver.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xml/System.Web.Script.Serialization/JavaScriptTypeResolver.xml b/xml/System.Web.Script.Serialization/JavaScriptTypeResolver.xml index e1a04eb9dda..edd7913846c 100644 --- a/xml/System.Web.Script.Serialization/JavaScriptTypeResolver.xml +++ b/xml/System.Web.Script.Serialization/JavaScriptTypeResolver.xml @@ -175,7 +175,7 @@ namespace SampleApp public override Type ResolveType(string id) { // Iterate over all of the allowed types, looking for a match - // for the 'id' parameter. n.b. calling Type.GetType(id) is dangerous, + // for the 'id' parameter. Calling Type.GetType(id) is dangerous, // so we instead perform a match on the Type.FullName property. foreach (Type allowedType in _allowedTypes) {