From 327e01eb0baacfda3b5173d2bcab1c7174878e24 Mon Sep 17 00:00:00 2001
From: Sevo Kukol <sevoku@microsoft.com>
Date: Thu, 16 Feb 2023 15:25:45 +0100
Subject: [PATCH 1/6] Use JsonSerializer instead of insecure BinaryFormatter in
 TransferDataSource.

---
 Xwt.Gtk/Xwt.GtkBackend/Util.cs            |  2 +-
 Xwt.WPF/Xwt.WPFBackend/DataConverter.cs   |  2 +-
 Xwt.XamMac/Xwt.Mac/MacClipboardBackend.cs |  4 ++--
 Xwt.XamMac/Xwt.Mac/ViewBackend.cs         |  2 +-
 Xwt/Xwt.Backends/TransferDataStore.cs     |  4 ++--
 Xwt/Xwt.csproj                            |  3 +++
 Xwt/Xwt/TransferDataSource.cs             | 23 ++++++++---------------
 7 files changed, 18 insertions(+), 22 deletions(-)

diff --git a/Xwt.Gtk/Xwt.GtkBackend/Util.cs b/Xwt.Gtk/Xwt.GtkBackend/Util.cs
index f63aa2cc4..48dd0fb93 100644
--- a/Xwt.Gtk/Xwt.GtkBackend/Util.cs
+++ b/Xwt.Gtk/Xwt.GtkBackend/Util.cs
@@ -79,7 +79,7 @@ public static void SetSelectionData (Gtk.SelectionData data, string atomType, ob
 				data.SetUris(new string[] { ((Uri)val).AbsolutePath });
 			else {
 				var at = Gdk.Atom.Intern (atomType, false);
-				data.Set (at, 0, TransferDataSource.SerializeValue (val));
+				data.Set (at, 0, TransferDataSource.SerializeValue (val, val.GetType()));
 			}
 		}
 		
diff --git a/Xwt.WPF/Xwt.WPFBackend/DataConverter.cs b/Xwt.WPF/Xwt.WPFBackend/DataConverter.cs
index 73e91f2c8..464cef7dc 100644
--- a/Xwt.WPF/Xwt.WPFBackend/DataConverter.cs
+++ b/Xwt.WPF/Xwt.WPFBackend/DataConverter.cs
@@ -373,7 +373,7 @@ public static DataObject ToDataObject (this TransferDataSource data)
 					uris.Add (((Uri)value).LocalPath);
 					retval.SetFileDropList (uris);
 				} else
-					retval.SetData (type.Id, TransferDataSource.SerializeValue (value));
+					retval.SetData (type.Id, TransferDataSource.SerializeValue (value, value.GetType()));
 			}
 
 			return retval;
diff --git a/Xwt.XamMac/Xwt.Mac/MacClipboardBackend.cs b/Xwt.XamMac/Xwt.Mac/MacClipboardBackend.cs
index c7a2d5e8f..c63bf089f 100644
--- a/Xwt.XamMac/Xwt.Mac/MacClipboardBackend.cs
+++ b/Xwt.XamMac/Xwt.Mac/MacClipboardBackend.cs
@@ -80,7 +80,7 @@ public override object GetData (TransferDataType type)
 				var bytes = new byte [data.Length];
 				using (var stream = new UnmanagedMemoryStream ((byte*)data.Bytes, bytes.Length))
 					stream.Read (bytes, 0, bytes.Length);
-				return TransferDataSource.DeserializeValue (bytes);
+				return TransferDataSource.DeserializeValue (bytes, Type.GetType (type.Id));
 			}
 		}
 
@@ -121,7 +121,7 @@ public void ProvideData (NSPasteboard pboard, NSString type)
 			else if (obj is string)
 				data = NSData.FromString ((string)obj);
 			else
-				data = NSData.FromArray (TransferDataSource.SerializeValue (obj));
+				data = NSData.FromArray (TransferDataSource.SerializeValue (obj, obj.GetType()));
 			pboard.SetDataForType (data, type);
 		}
 	}
diff --git a/Xwt.XamMac/Xwt.Mac/ViewBackend.cs b/Xwt.XamMac/Xwt.Mac/ViewBackend.cs
index 05fcf8f80..bd581f0cb 100644
--- a/Xwt.XamMac/Xwt.Mac/ViewBackend.cs
+++ b/Xwt.XamMac/Xwt.Mac/ViewBackend.cs
@@ -968,7 +968,7 @@ public void ProvideDataForType (NSPasteboard pasteboard, NSPasteboardItem item,
 					else {
 						// For internal types, provided serialized data
 						object value = dataSource.GetValue(transferDataType);
-						NSData serializedData = NSData.FromArray(TransferDataSource.SerializeValue(value));
+						NSData serializedData = NSData.FromArray(TransferDataSource.SerializeValue(value, value.GetType()));
 						pasteboard.SetDataForType(serializedData, type);
 					}
 				}
diff --git a/Xwt/Xwt.Backends/TransferDataStore.cs b/Xwt/Xwt.Backends/TransferDataStore.cs
index 17924d679..b36eccba4 100644
--- a/Xwt/Xwt.Backends/TransferDataStore.cs
+++ b/Xwt/Xwt.Backends/TransferDataStore.cs
@@ -78,7 +78,7 @@ public void AddValue (TransferDataType type, byte[] value)
 		{
 			Type t = Type.GetType (type.Id);
 			if (t != null)
-				data [type] = TransferDataSource.DeserializeValue (value);
+				data [type] = TransferDataSource.DeserializeValue (value, t);
 			else
 				data [type] = value;
 		}
@@ -119,7 +119,7 @@ T ITransferData.GetValue<T> ()
 			if (ob == null || ob.GetType () == typeof(Type))
 				return (T) ob;
 			if (ob is byte[]) {
-				T val = (T) TransferDataSource.DeserializeValue ((byte[])ob);
+				T val = (T) TransferDataSource.DeserializeValue ((byte[])ob, typeof(T));
 				data[TransferDataType.FromType (typeof(T))] = val;
 				return val;
 			}
diff --git a/Xwt/Xwt.csproj b/Xwt/Xwt.csproj
index 5744433b1..6bc670074 100644
--- a/Xwt/Xwt.csproj
+++ b/Xwt/Xwt.csproj
@@ -34,6 +34,9 @@ The framework consists of the frontend (Xwt core) and platform specific backends
     <None Include="..\LICENSE.txt" Pack="true" PackagePath="" />
     <None Include="..\README.markdown" Pack="true" PackagePath="" />
   </ItemGroup>
+  <ItemGroup>
+    <PackageReference Include="System.Text.Json" Version="7.0.2" />
+  </ItemGroup>
   <ProjectExtensions>
     <MonoDevelop>
       <Properties>
diff --git a/Xwt/Xwt/TransferDataSource.cs b/Xwt/Xwt/TransferDataSource.cs
index 1e1949835..e404383e5 100644
--- a/Xwt/Xwt/TransferDataSource.cs
+++ b/Xwt/Xwt/TransferDataSource.cs
@@ -31,7 +31,7 @@
 using System.Runtime.Serialization.Formatters.Binary;
 using Xwt.Drawing;
 using Xwt.Backends;
-
+using System.Text.Json;
 
 namespace Xwt
 {
@@ -138,32 +138,25 @@ public object GetValue (TransferDataType type)
 			}
 			return null;
 		}
-		
+
 		/// <summary>
-		/// Serializes a value to a byte array using <see cref="System.Runtime.Serialization.Formatters.Binary.BinaryFormatter"/> .
+		/// Serializes a value to a byte array using <see cref="System.Text.Json.JsonSerializer"/> .
 		/// </summary>
 		/// <returns>The serialized value.</returns>
 		/// <param name="val">The value to serialize.</param>
-		public static byte[] SerializeValue (object val)
+		public static byte[] SerializeValue (object val, Type type)
 		{
-			using (MemoryStream ms = new MemoryStream ()) {
-				BinaryFormatter bf = new BinaryFormatter ();
-				bf.Serialize (ms, val);
-				return ms.ToArray ();
-			}
+			return JsonSerializer.SerializeToUtf8Bytes (val, type);
 		}
 		
 		/// <summary>
 		/// Deserializes a value from a byte array.
 		/// </summary>
 		/// <returns>The deserialized value.</returns>
-		/// <param name="data">The byte array containing the serialized value.</param>
-		public static object DeserializeValue (byte[] data)
+		/// <param name="data">The byte array containing the Utf8 Json serialized value.</param>
+		public static object DeserializeValue (byte[] data, Type type)
 		{
-			using (MemoryStream ms = new MemoryStream (data)) {
-				BinaryFormatter bf = new BinaryFormatter ();
-				return bf.Deserialize (ms);
-			}
+			return JsonSerializer.Deserialize (data, type);
 		}
 	}
 	

From c997892a932449ee64c403bca1a64bf26532a008 Mon Sep 17 00:00:00 2001
From: Sevo Kukol <sevoku@microsoft.com>
Date: Fri, 17 Feb 2023 12:32:53 +0100
Subject: [PATCH 2/6] Bring back original TransferDataSource API and mark it
 obsolete.

---
 Xwt/Xwt/TransferDataSource.cs | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/Xwt/Xwt/TransferDataSource.cs b/Xwt/Xwt/TransferDataSource.cs
index e404383e5..72b0ceb78 100644
--- a/Xwt/Xwt/TransferDataSource.cs
+++ b/Xwt/Xwt/TransferDataSource.cs
@@ -158,6 +158,28 @@ public static object DeserializeValue (byte[] data, Type type)
 		{
 			return JsonSerializer.Deserialize (data, type);
 		}
+
+		/// <summary>
+		/// Serializes a value to a byte array using <see cref="System.Runtime.Serialization.Formatters.Binary.BinaryFormatter"/> .
+		/// </summary>
+		/// <returns>The serialized value.</returns>
+		/// <param name="val">The value to serialize.</param>
+		[Obsolete("Use SerializeValue (object val, Type type) instead", true)]
+		public static byte[] SerializeValue(object val)
+		{
+			return new byte[0];
+		}
+
+		/// <summary>
+		/// Deserializes a value from a byte array.
+		/// </summary>
+		/// <returns>The deserialized value.</returns>
+		/// <param name="data">The byte array containing the serialized value.</param>
+		[Obsolete("Use DeserializeValue (byte[] data, Type type) instead", true)]
+		public static object DeserializeValue(byte[] data)
+		{
+			return null;
+		}
 	}
 	
 	/// <summary>

From c2c3eaae61b3464104053665ddae0642ebbadeff Mon Sep 17 00:00:00 2001
From: Bret Johnson <bret.johnson@microsoft.com>
Date: Fri, 17 Feb 2023 10:34:21 -0500
Subject: [PATCH 3/6] Explicitly set Xwt TargetFramework

Explicitly set the TargetFramework in Xwt.csproj
to netstandard2.0, so that it builds properly on
Windows (where it otherwise would default to
.NET Framework 4.6.1).
---
 Xwt/Xwt.csproj | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/Xwt/Xwt.csproj b/Xwt/Xwt.csproj
index 6bc670074..cc7f693ca 100644
--- a/Xwt/Xwt.csproj
+++ b/Xwt/Xwt.csproj
@@ -1,5 +1,7 @@
+<?xml version="1.0" encoding="utf-8"?>
 <Project Sdk="Microsoft.NET.Sdk">
   <PropertyGroup>
+    <TargetFramework>netstandard2.0</TargetFramework>
     <GenerateAssemblyInfo>false</GenerateAssemblyInfo>
     <SignAssembly>true</SignAssembly>
     <AssemblyOriginatorKeyFile>..\xwt.snk</AssemblyOriginatorKeyFile>

From 0ed0b9202cf8a3c59c2b2fc42c318511babfde9b Mon Sep 17 00:00:00 2001
From: Bret Johnson <bret.johnson@microsoft.com>
Date: Sun, 19 Feb 2023 12:09:21 -0500
Subject: [PATCH 4/6] Update to 4.7.2 in Directory props as well

---
 Directory.Build.props | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Directory.Build.props b/Directory.Build.props
index a4dfa6426..27e503f08 100644
--- a/Directory.Build.props
+++ b/Directory.Build.props
@@ -6,7 +6,7 @@
     <InMonoDevelopTree Condition="Exists('$(MSBuildThisFileDirectory)..\..\msbuild\MonoDevelop.AfterCommon.props')">True</InMonoDevelopTree>
     <Net6 Condition="Exists('$(MSBuildThisFileDirectory)..\..\msbuild\Net6.props')">True</Net6>
 
-    <DotNetFrameworkTarget>net461</DotNetFrameworkTarget>
+    <DotNetFrameworkTarget>net472</DotNetFrameworkTarget>
     <DotNetCoreTarget>netstandard2.0</DotNetCoreTarget>
 
     <MacTargetFramework Condition="!$(Net6)">$(DotNetFrameworkTarget)</MacTargetFramework>

From 6ed2ea5ad4653d6148bf5993a090452e00168912 Mon Sep 17 00:00:00 2001
From: Bret Johnson <bret.johnson@microsoft.com>
Date: Mon, 20 Feb 2023 18:01:10 -0500
Subject: [PATCH 5/6] Use XML serialization instead of JSON serialization

XML serialization works better than JSON for Android designer
data - it's formatted better and is more mature, with more
options supported.
---
 Xwt/Xwt/TransferDataSource.cs | 22 +++++++++++++++++-----
 1 file changed, 17 insertions(+), 5 deletions(-)

diff --git a/Xwt/Xwt/TransferDataSource.cs b/Xwt/Xwt/TransferDataSource.cs
index 72b0ceb78..a5244b8c3 100644
--- a/Xwt/Xwt/TransferDataSource.cs
+++ b/Xwt/Xwt/TransferDataSource.cs
@@ -31,7 +31,8 @@
 using System.Runtime.Serialization.Formatters.Binary;
 using Xwt.Drawing;
 using Xwt.Backends;
-using System.Text.Json;
+using System.Xml.Serialization;
+using System.Text;
 
 namespace Xwt
 {
@@ -140,23 +141,34 @@ public object GetValue (TransferDataType type)
 		}
 
 		/// <summary>
-		/// Serializes a value to a byte array using <see cref="System.Text.Json.JsonSerializer"/> .
+		/// Serializes a value to a byte array using <see cref="System.Xml.XmlSerializer"/> .
 		/// </summary>
 		/// <returns>The serialized value.</returns>
 		/// <param name="val">The value to serialize.</param>
 		public static byte[] SerializeValue (object val, Type type)
 		{
-			return JsonSerializer.SerializeToUtf8Bytes (val, type);
+			using (var stream = new MemoryStream ()) {
+				using (var writer = new StreamWriter (stream, new UTF8Encoding ())) {
+					var xmlSerializer = new XmlSerializer (type);
+					xmlSerializer.Serialize (writer, val);
+				}
+				return stream.ToArray ();
+			}
 		}
 		
 		/// <summary>
 		/// Deserializes a value from a byte array.
 		/// </summary>
 		/// <returns>The deserialized value.</returns>
-		/// <param name="data">The byte array containing the Utf8 Json serialized value.</param>
+		/// <param name="data">The byte array containing the Utf8 XML serialized value.</param>
 		public static object DeserializeValue (byte[] data, Type type)
 		{
-			return JsonSerializer.Deserialize (data, type);
+			using (var stream = new MemoryStream (data)) {
+				using (var reader = new StreamReader (stream, new UTF8Encoding ())) {
+					var xmlSerializer = new XmlSerializer (type);
+					return xmlSerializer.Deserialize (reader);
+				}
+			}
 		}
 
 		/// <summary>

From aca3cf74f37498b9e18c6ccdb8cbd810ed893d10 Mon Sep 17 00:00:00 2001
From: Bret Johnson <bret.johnson@microsoft.com>
Date: Mon, 20 Feb 2023 20:11:18 -0500
Subject: [PATCH 6/6] Revert adding Json package ref

---
 Xwt/Xwt.csproj | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/Xwt/Xwt.csproj b/Xwt/Xwt.csproj
index cc7f693ca..40bdfb6b4 100644
--- a/Xwt/Xwt.csproj
+++ b/Xwt/Xwt.csproj
@@ -36,9 +36,6 @@ The framework consists of the frontend (Xwt core) and platform specific backends
     <None Include="..\LICENSE.txt" Pack="true" PackagePath="" />
     <None Include="..\README.markdown" Pack="true" PackagePath="" />
   </ItemGroup>
-  <ItemGroup>
-    <PackageReference Include="System.Text.Json" Version="7.0.2" />
-  </ItemGroup>
   <ProjectExtensions>
     <MonoDevelop>
       <Properties>