Consider replacing the use of BinaryFormatter at all in WinForms.

AraHaan commented 8 months ago

.NET version

I will investigate a way to be able to parse the types from Resx without the security issues from BinaryFormatter inside of the winforms codebase in the next few weeks. Because .NET 9 will entirely remove them by default and that I FEEL LIKE being REQUIRED to reference an external nuget package because I set "Localizable" to true on a form should not justify a possible security hole in people's applications. That is not acceptable.

Did it work in .NET Framework?

Yes

Did it work in any of the earlier releases of .NET Core or .NET 5+?

Yes, but BinaryFormatter was deprecated. Now in .NET 9 it will throw an exception on all of it's APIs, and will have the real code in a nuget package. Although best option here is to look into other means of doing the same thing from within the Windows Forms repository. But first I will write code separate from it to test and then copy paste it all into the Windows Forms codebase to be used internally as an implementation detail.

Issue description

BinaryFormatter should be avoided entirely, I know there are other ways of the same thing, perhaps serialize the types as json instead and store said json strings inside of the resx and deserialize that instead at runtime? Would still need code in the designer for that however to migrate the format of those strings in the resx files to json form but it can be done like that as well. Also System.Text.Json is part of the main shared framework and so it should be no problems depending on it.

Steps to reproduce

Create a new winforms project in .NET 8 or 9 Preview SDK (dotnet new winforms)
open the project in Visual Studio 2022
set the main form to be "Localizable".
Build and get warnings from each item added to the resx file from the designer itself.

AraHaan commented 8 months ago

https://github.com/search?q=repo%3Adotnet%2Fwinforms%20BinaryFormatter&type=code for where it is used in the code today.