Improve MotW handling and clarify the MSB3821

[JanKrivanek]

Context

ResXFileRef could lead to adding linked resources - so it should not be processed if 'mark of the web' metadata is present. Going forward - we should not allow any typed entry (as for unknown types the Type.GetType is eventually called, which can probe for assemblies on disk).

Additionaly - clarifying the messaging for MotW - as general guidance is unchanged - users are still responsible for reviewing/trusting the msbuild inputs and env.

Related

https://github.com/MicrosoftDocs/visualstudio-docs-pr/pull/15493

[Copilot]

Pull request overview

This PR tightens GenerateResource’s handling of Mark-of-the-Web (Internet/Restricted zone) inputs to reduce risk from .resx files that can trigger type loading / linked-file processing, and updates MSB3821 text to include secure-usage guidance.

Changes:

• Expand “dangerous” .resx/.resw detection to treat ResXFileRef entries as dangerous and (behind ChangeWave 18.8) treat any typed entry as dangerous for MotW-tagged files.
• Clarify MSB3821 to instruct users to unblock only if they trust the files and link to MSBuild security best practices.
• Update localized XLF source strings and mark translations as needing review.

Show a summary per file

File	Description
src/Tasks/Resources/xlf/Strings.zh-Hant.xlf	Updates MSB3821 source string; marks translation as needing review.
src/Tasks/Resources/xlf/Strings.zh-Hans.xlf	Updates MSB3821 source string; marks translation as needing review.
src/Tasks/Resources/xlf/Strings.tr.xlf	Updates MSB3821 source string; marks translation as needing review.
src/Tasks/Resources/xlf/Strings.ru.xlf	Updates MSB3821 source string; marks translation as needing review.
src/Tasks/Resources/xlf/Strings.pt-BR.xlf	Updates MSB3821 source string; marks translation as needing review.
src/Tasks/Resources/xlf/Strings.pl.xlf	Updates MSB3821 source string; marks translation as needing review.
src/Tasks/Resources/xlf/Strings.ko.xlf	Updates MSB3821 source string; marks translation as needing review.
src/Tasks/Resources/xlf/Strings.ja.xlf	Updates MSB3821 source string; marks translation as needing review.
src/Tasks/Resources/xlf/Strings.it.xlf	Updates MSB3821 source string; marks translation as needing review.
src/Tasks/Resources/xlf/Strings.fr.xlf	Updates MSB3821 source string; marks translation as needing review.
src/Tasks/Resources/xlf/Strings.es.xlf	Updates MSB3821 source string; marks translation as needing review.
src/Tasks/Resources/xlf/Strings.de.xlf	Updates MSB3821 source string; marks translation as needing review.
src/Tasks/Resources/xlf/Strings.cs.xlf	Updates MSB3821 source string; marks translation as needing review.
src/Tasks/Resources/Strings.resx	Updates MSB3821 English resource string with security guidance link.
src/Tasks/GenerateResource.cs	Extends MotW “dangerous” detection to cover ResXFileRef and typed entries (ChangeWave-gated).

Copilot's findings

• Files reviewed: 15/15 changed files
• Comments generated: 2

[JanProvaznik]

/review

[github-actions]

⚠️ Security scanning failed for Expert Code Review (command). Review the logs for details.

Dependency Management — LGTM

[github-actions]

Code Review — Design-Level Findings

🔴 MAJOR: No tests for new IsDangerous() behavior (Test Coverage, dim 4)

No test files were changed in this PR. Both new code paths have zero coverage:

1. .resx with type containing "ResXFileRef" → should return dangerous = true (new unconditional path)
2. .resx with any type + Wave18_8 enabled → dangerous = true (new wave-gated path)
3. .resx with any type + Wave18_8 disabled → dangerous = false (wave-off regression guard)
4. .resx with no type/mimetype → dangerous = false (baseline)

This is especially important for a security-sensitive code path — a mistyped literal or accidental logic inversion would silently disable the protection with no failing test to catch it. The inner XML-parsing logic can be extracted into a static helper taking a TextReader, making it testable cross-platform without the COM/zone machinery.

Relevant test file: src/Tasks.UnitTests/ResourceHandling/GenerateResource_Tests.cs

---

🔴 MAJOR: ChangeWaves.md missing Wave18_8 entry (ChangeWave Discipline, dim 2)

documentation/wiki/ChangeWaves.md's ### 18.8 section does not document the new behavior. Users whose builds newly fail with MSB3821 on a typed .resx entry have no discoverable path to the MSBUILDDISABLEFEATURESFROMVERSION=18.8 opt-out.

Recommended addition under ### 18.8:

- [GenerateResource: typed ResX data entries (including ResXFileRef) in Mark-of-the-Web files are now blocked (MSB3821); unblock the file or set MSBUILDDISABLEFEATURESFROMVERSION=18.8 to restore prior behavior](https://github.com/dotnet/msbuild/pull/14015)

---

🟡 MODERATE: No per-trigger diagnostic (Logging & Diagnostics, dim 6)

All three IsDangerous() triggers — mimetype, ResXFileRef, wave-gated typed entry — emit the same generic MSB3821 message. For the Wave18_8 path (new default behavior), users won't know which element caused the failure or that MSBUILDDISABLEFEATURESFROMVERSION=18.8 is the opt-out. Consider propagating a trigger reason out of IsDangerous() so the call site can append a supplemental Log.LogMessage naming the ChangeWave and opt-out path for the wave-gated case.

---

💬 NIT: Single-letter variable name s (Naming, dim 14)

string s = reader.LocalName; (line 987) — consider string localName = reader.LocalName; to make the comparisons self-documenting at each use site.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• patchdiff.githubusercontent.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "patchdiff.githubusercontent.com"

See Network Configuration for more information.

Generated by Expert Code Review (command) for issue #14015 · 2.8K AIC · ⊞ 29.8K ambient context · ◷
_{Comment /review to run again}

[github-actions]

Expert Review — 24-Dimension Analysis

#	Dimension	Verdict
1	Backwards Compatibility Vigilance	🔴 1 BLOCKING
2	ChangeWave Discipline	🟠 1 MAJOR
4	Test Coverage & Completeness	🟠 1 MAJOR
6	Logging & Diagnostics Rigor	🟡 1 MODERATE
12	Code Simplification	💬 1 NIT
14	Naming Precision	💬 1 NIT

✅ 18/24 dimensions clean.

---

🔴 BLOCKING — Backwards Compatibility

The ResXFileRef check (line 1004–1006) is unconditional — it has no ChangeWave gate.

This is a hard breaking change: any .resx file downloaded from the internet (MotW applied) that uses the standard WinForms designer pattern of ResXFileRef for image resources will now fail with MSB3821. The immediately adjacent branch (else if (ChangeWaves.AreFeaturesEnabled(ChangeWaves.Wave18_8))) is correctly gated — the ResXFileRef branch appears to have been overlooked. The AllowMOTW registry key is machine-wide and is not a viable per-project workaround.

Fix: Gate both checks behind the same ChangeWave (see inline comment on line 1006).

---

🟠 MAJOR — Missing items

• Test coverage — Both new behaviors (ResXFileRef detection, Wave18_8 typed-entry blocking) have zero test coverage. Add [WindowsOnlyFact]-gated unit tests to GenerateResource_Tests.cs.
• ChangeWaves.md — The Wave18_8 section in documentation/wiki/ChangeWaves.md does not document this behavior. Users cannot discover the MSBUILDDISABLEFEATURESFROMVERSION=18.8 opt-out.

---

The security intent of this PR is correct and valuable — ResXFileRef in MotW-tagged files is a real risk. The fix just needs to respect the ChangeWave discipline that MSBuild uses for all behavioral changes, and needs test coverage to maintain that security guarantee over time.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• patchdiff.githubusercontent.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "patchdiff.githubusercontent.com"

See Network Configuration for more information.

Generated by Expert Code Review (command) for issue #14015 · 2.8K AIC · ⊞ 29.8K ambient context
_{Comment /review to run again}

[JanProvaznik]

it should be changewave 18.9

adressed