How do I fix SCS0028?

Question

Security Scan Warnings in Visual Studio are shown during the build. Currently, I am working on these warnings to get removed. I tried several MSDN sites but no luck. I have also read OWSAP but they are not clearly related to C#.

Code:

public static class XMLUtility
    {
        public static T DeserializeXML<T>(this string xmlString)
        {
            T returnValue = default(T);
            if (string.IsNullOrEmpty(xmlString))
                return returnValue;
            XmlSerializer serial = new XmlSerializer(typeof(T));
            StringReader reader = new StringReader(xmlString);
            object result = serial.Deserialize(reader);
            if (result != null && result is T)
            {
                returnValue = ((T)result);
            }
            return returnValue;
        }
    }

Answer 1

First of all the warning is valid, because the type T and xmlString are passed from outside and are potentially untrusted (user input). You can check ysoserial.net for a proof of concept.

Code fixers are not implemented for the warning, that is why "Show potential fixes" link doesn't work. There are too many options to fix the issue, so it has to be done manually. Did you click on the SCS0028 link to read about potential solutions?

If the input is trusted the other standard action if you ever worked with any Visual Studio analyzer is Suppress. Here is an article by Microsoft about the functionality.

I find the UI not very intuitive, because you have to click on the underlined piece of code, only then a bubble appears at the beginning of the line where suppress menu is available:

Another place where the menu is available is Error List: