[Audit-Low] DocCommentFormatter.FormatEntityCref doesn't escape name/…

[pepone]

AI-generated audit finding — this issue was opened from an automated security/correctness audit. It has not been triaged by a human yet; verify the reasoning, reproducibility, and severity before acting on it.

Low: DocCommentFormatter.FormatEntityCref doesn't escape name/namespace in the cref attribute value

Affected code:

• src/ZeroC.Slice.Generator/DocCommentFormatter.cs:55-79 — builds global::{entityNamespace}.{name} and returns it unchanged
• src/ZeroC.Slice.Generator/DocCommentFormatter.cs:46-53 — FormatInlineLink emits $"""<see cref="{FormatEntityCref(...)}" />""" with no escape

Description:

FormatEntityCref concatenates entity.Namespace and a computed name. Both can originate from CS-attribute values (via cs::identifier on the module for namespace, or cs::type on a CustomType for the type name itself). The returned string is then placed inside an XML cref="..." attribute without XML-escaping. If either value contains ", <, >, or &, the resulting XML doc comment is malformed.

The XmlEscape helper is defined in the same file and is used in several sibling paths (FormatOverview, FormatInlineLink for UnresolvedCommentLink and TypeAlias). FormatEntityCref is the outlier.

Impact:

• Generated XML doc comments break under unusual CS-attribute values.
• DocFX / GenerateDocumentationFile=true fail to parse.

Recommendation:

• Apply XmlEscape (or System.Security.SecurityElement.Escape) to both entityNamespace and name before splicing.
• Add a test with a cs::type("MyClass<int>") on a CustomType whose doc comment references it.

Severity: Low.

---

Source report: src-ZeroC.Slice.Generator-audit-2026-04-14.md (finding ``DocCommentFormatter.FormatEntityCrefdoesn't escape name/namespace in thecref` attribute value`)

Severity (auditor-assigned): Low