Merge branch 'ca5366' of https://github.com/LLLXXXCCC/visualstudio-docs-pr into ca5366

Author: LingxiaChen

docs/code-quality/ca5374.md

@@ -0,0 +1,102 @@
+---
+title: "CA5374: Do Not Use XslTransform"
+description: Provides information about code analysis rule CA5374, including causes, how to fix violations, and when to suppress it.
+ms.date: 04/28/2020
+ms.topic: reference
+author: LLLXXXCCC
+ms.author: linche
+manager: jillfra
+dev_langs:
+ - CSharp
+ - VB
+ms.workload:
+  - "multiple"
+f1_keywords:
+  - "CA5374"
+  - "DoNotUseXslTransform"
+---
+# CA5374: Do Not Use XslTransform
+
+|||
+|-|-|
+|CheckId|CA5374|
+|Category|Microsoft.Security|
+|Breaking change|Non-breaking|
+
+## Cause
+
+Instantiating an <xref:System.Xml.Xsl.XslTransform?displayProperty=nameWithType>, which doesn't restrict potentially dangerous external references.
+
+## Rule description
+
+<xref:System.Xml.Xsl.XslTransform> is vulnerable when operating on untrusted input. An attack could execute arbitrary code.
+
+## How to fix violations
+
+Replace <xref:System.Xml.Xsl.XslTransform> with <xref:System.Xml.Xsl.XslCompiledTransform?displayProperty=nameWithType>. For more guidance, see [/dotnet/standard/data/xml/migrating-from-the-xsltransform-class].
+
+## When to suppress warnings
+
+The <xref:System.Xml.Xsl.XslTransform> object, XSLT style sheets, and XML source data are all from trusted sources. 
+
+## Pseudo-code examples
+
+### Violation
+
+At present, the following pseudo-code sample illustrates the pattern detected by this rule.
+
+```csharp
+using System;
+using System.Xml;
+using System.Xml.XPath;
+using System.Xml.Xsl;
+
+namespace TestForXslTransform
+{
+    class Program
+    {
+        static void Main(string[] args)
+        {
+            // Create a new XslTransform object.
+            XslTransform xslt = new XslTransform();
+
+            // Load the stylesheet.
+            xslt.Load("http://server/favorite.xsl");
+
+            // Create a new XPathDocument and load the XML data to be transformed.
+            XPathDocument mydata = new XPathDocument("inputdata.xml");
+
+            // Create an XmlTextWriter which outputs to the console.
+            XmlWriter writer = new XmlTextWriter(Console.Out);
+
+            // Transform the data and send the output to the console.
+            xslt.Transform(mydata, null, writer, null);
+        }
+    }
+}
+```
+
+### Solution
+
+```csharp
+using System.Xml;
+using System.Xml.Xsl;
+
+namespace TestForXslTransform
+{
+    class Program
+    {
+        static void Main(string[] args)
+        {
+            // Create the XsltSettings object with script enabled.
+            XsltSettings settings = new XsltSettings(false, true);
+
+            // Execute the transform.
+            XslCompiledTransform xslt = new XslCompiledTransform();
+            xslt.Load("http://server/favorite.xsl", settings, new XmlUrlResolver());
+            xslt.Transform("inputdata.xml", "outputdata.html");
+        }
+    }
+}
+
+```

docs/code-quality/code-analysis-warnings-for-managed-code-by-checkid.md

@@ -271,6 +271,7 @@ f1_keywords:
 - CA2245
 - CA2246
 - CA5122
+- CA5374
 ms.assetid: 5cb221f6-dc59-4abf-9bfa-adbd6f907f96
 author: mikejo5000
 ms.author: mikejo
@@ -540,3 +541,4 @@ The following table lists Code Analysis warnings for managed code by the CheckId
 | CA2246 | [CA2246: Do not assign a symbol and its member in the same statement](../code-quality/ca2246.md) | Assigning a symbol and its member, that is, a field or a property, in the same statement is not recommended. It is not clear if the member access was intended to use the symbol's old value prior to the assignment or the new value from the assignment in this statement. |
 | CA5122 | [CA5122 P/Invoke declarations should not be safe critical](../code-quality/ca5122.md) | Methods are marked as SecuritySafeCritical when they perform a security sensitive operation, but are also safe to be used by transparent code. Transparent code may never directly call native code through a P/Invoke. Therefore, marking a P/Invoke as security safe critical will not enable transparent code to call it, and is misleading for security analysis. |
 | CA5366 | [CA5366 Use XmlReader For DataSet Read XML](../code-quality/ca5366.md) | Using a <xref:System.Data.DataSet> to read XML with untrusted data may load dangerous external references, which should be restricted by using an <xref:System.Xml.XmlReader> with a secure resolver or with DTD processing disabled. |
+| CA5374 | [CA5374 Do Not Use XslTransform](../code-quality/ca5374.md) | This rule checks if <xref:System.Xml.Xsl.XslTransform?displayProperty=nameWithType> is instantiated in the code. <xref:System.Xml.Xsl.XslTransform?displayProperty=nameWithType> is now obsolete and shouldn’t be used. |

docs/code-quality/security-warnings.md

@@ -109,6 +109,7 @@ Security warnings support safer libraries and applications. These warnings help
 |[CA5371: Use XmlReader for schema read](../code-quality/ca5371.md)|Processing untrusted DTD and XML schemas may enable loading dangerous external references. Using an XmlReader with a secure resolver or with DTD and XML inline schema processing disabled restricts this.|
 |[CA5372: Use XmlReader for XPathDocument](../code-quality/ca5372.md)|Processing XML from untrusted data may load dangerous external references, which can be restricted by using an XmlReader with a secure resolver or with DTD processing disabled.|
 |[CA5373: Do not use obsolete key derivation function](../code-quality/ca5373.md)|This rule detects the invocation of weak key derivation methods <xref:System.Security.Cryptography.PasswordDeriveBytes?displayProperty=fullName> and `Rfc2898DeriveBytes.CryptDeriveKey`. <xref:System.Security.Cryptography.PasswordDeriveBytes?displayProperty=fullName> used a weak algorithm PBKDF1.|
+|[CA5374: Do Not Use XslTransform](../code-quality/ca5374.md)|This rule checks if <xref:System.Xml.Xsl.XslTransform?displayProperty=nameWithType> is instantiated in the code. <xref:System.Xml.Xsl.XslTransform?displayProperty=nameWithType> is now obsolete and shouldn’t be used.|
 |[CA5378: Do not disable ServicePointManagerSecurityProtocols](../code-quality/ca5378.md)|Setting `Switch.System.ServiceModel.DisableUsingServicePointManagerSecurityProtocols` to `true` limits Windows Communication Framework's (WCF) Transport Layer Security (TLS) connections to using TLS 1.0. That version of TLS will be deprecated.|
 |[CA5380: Do not add certificates to root store](../code-quality/ca5380.md)|This rule detects code that adds a certificate into the Trusted Root Certification Authorities certificate store. By default, the Trusted Root Certification Authorities certificate store is configured with a set of public CAs that has met the requirements of the Microsoft Root Certificate Program.|
 |[CA5381: Ensure certificates are not added to root store](../code-quality/ca5381.md)|This rule detects code that potentially adds a certificate into the Trusted Root Certification Authorities certificate store. By default, the Trusted Root Certification Authorities certificate store is configured with a set of public certification authorities (CAs) that has met the requirements of the Microsoft Root Certificate Program.|

docs/code-quality/toc.yml

@@ -764,6 +764,8 @@
           href: ca5372.md
         - name: "CA5373: Do not use obsolete key derivation function"
           href: ca5373.md
+        - name: "CA5374: Do Not Use XslTransform"
+          href: ca5374.md
         - name: "CA5378: Do not disable ServicePointManagerSecurityProtocols"
           href: ca5378.md
         - name: "CA5380: Do not add certificates to root store"