Add note about trusting ApplicationArguments data (#12746)

* Ad note about trusting ApplicationArguments data

* Add link to OWASP

Author: sdwheeler

reference/5.1/Microsoft.PowerShell.Core/About/about_Automatic_Variables.md

@@ -1,7 +1,7 @@
 ---
 description: Describes variables that store state information for PowerShell. These variables are created and maintained by PowerShell.
 Locale: en-US
-ms.date: 01/18/2026
+ms.date: 02/10/2026
 no-loc: [Reset, Current, Background, Blink, Bold, Foreground, Formatting, Hidden, Italic, Reset, Reverse, Underline, PSEventArgs, PSEventSubscriber, PSEdition]
 online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_automatic_variables?view=powershell-5.1&WT.mc_id=ps-gethelp
 schema: 2.0.0
@@ -583,6 +583,12 @@ from the originating session. To add data to the **ApplicationArguments**
 property, use the **ApplicationArguments** parameter of the
 `New-PSSessionOption` cmdlet.
 
+> [!IMPORTANT]
+> Since this property contains data explicitly provided by the client, using
+> this for security decisions could allow attackers to bypass authorization
+> controls. Never use this data for trust decisions.
+> [Validate all user input][78] when used for other application logic.
+
 ### `$PSUICulture`
 
 Contains the name of the user interface (UI) culture that's configured in the
@@ -1114,6 +1120,4 @@ Default (Current): End
 [75]: xref:System.Collections.IEnumerator.Current
 [76]: xref:System.Collections.IEnumerator.MoveNext
 [77]: xref:System.Collections.IEnumerator.Reset
-
-
-
+[78]: https://top10proactive.owasp.org/archive/2024/the-top-10/c3-validate-input-and-handle-exceptions/

reference/5.1/Microsoft.PowerShell.Core/New-PSSessionOption.md

@@ -2,7 +2,7 @@
 external help file: System.Management.Automation.dll-Help.xml
 Locale: en-US
 Module Name: Microsoft.PowerShell.Core
-ms.date: 12/09/2022
+ms.date: 02/10/2026
 online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.core/new-pssessionoption?view=powershell-5.1&WT.mc_id=ps-gethelp
 schema: 2.0.0
 title: New-PSSessionOption
@@ -267,14 +267,20 @@ The final `Invoke-Command` shows how the data might be used.
 
 ### -ApplicationArguments
 
-Specifies a **PrimitiveDictionary** that is sent to the remote session. Commands and scripts in the
+Specifies a **PrimitiveDictionary** that's sent to the remote session. Commands and scripts in the
 remote session, including startup scripts in the session configuration, can find this dictionary in
 the **ApplicationArguments** property of the `$PSSenderInfo` automatic variable. You can use this
 parameter to send data to the remote session.
 
-For more information, see [about_Hash_Tables](about/about_Hash_Tables.md),
+> [!IMPORTANT]
+> Since this property contains data explicitly provided by the client, using this for security
+> decisions could allow attackers to bypass authorization controls. Never use this data for trust
+> decisions. [Validate all user input](https://top10proactive.owasp.org/archive/2024/the-top-10/c3-validate-input-and-handle-exceptions/)
+> when used for other application logic.
+
+For more information, see [about_Hash_Tables](About/about_Hash_Tables.md),
 [about_Session_Configurations](About/about_Session_Configurations.md), and
-[about_Automatic_Variables](about/about_Automatic_Variables.md).
+[about_Automatic_Variables](About/about_Automatic_Variables.md).
 
 ```yaml
 Type: System.Management.Automation.PSPrimitiveDictionary

reference/7.4/Microsoft.PowerShell.Core/About/about_Automatic_Variables.md

@@ -1,7 +1,7 @@
 ---
 description: Describes variables that store state information for PowerShell. These variables are created and maintained by PowerShell.
 Locale: en-US
-ms.date: 01/18/2026
+ms.date: 02/10/2026
 no-loc: [Reset, Current, Background, Blink, Bold, Foreground, Formatting, Hidden, Italic, Reset, Reverse, Underline, PSEventArgs, PSEventSubscriber, PSEdition]
 online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_automatic_variables?view=powershell-5.1&WT.mc_id=ps-gethelp
 schema: 2.0.0
@@ -619,6 +619,12 @@ from the originating session. To add data to the **ApplicationArguments**
 property, use the **ApplicationArguments** parameter of the
 `New-PSSessionOption` cmdlet.
 
+> [!IMPORTANT]
+> Since this property contains data explicitly provided by the client, using
+> this for security decisions could allow attackers to bypass authorization
+> controls. Never use this data for trust decisions.
+> [Validate all user input][78] when used for other application logic.
+
 ### `$PSUICulture`
 
 Contains the name of the user interface (UI) culture that's configured in the
@@ -1154,6 +1160,4 @@ Default (Current): End
 [75]: xref:System.Collections.IEnumerator.Current
 [76]: xref:System.Collections.IEnumerator.MoveNext
 [77]: xref:System.Collections.IEnumerator.Reset
-
-
-
+[78]: https://top10proactive.owasp.org/archive/2024/the-top-10/c3-validate-input-and-handle-exceptions/

reference/7.4/Microsoft.PowerShell.Core/New-PSSessionOption.md

@@ -2,7 +2,7 @@
 external help file: System.Management.Automation.dll-Help.xml
 Locale: en-US
 Module Name: Microsoft.PowerShell.Core
-ms.date: 12/09/2022
+ms.date: 02/10/2026
 online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.core/new-pssessionoption?view=powershell-7.4&WT.mc_id=ps-gethelp
 schema: 2.0.0
 title: New-PSSessionOption
@@ -267,14 +267,20 @@ The final `Invoke-Command` shows how the data might be used.
 
 ### -ApplicationArguments
 
-Specifies a **PrimitiveDictionary** that is sent to the remote session. Commands and scripts in the
+Specifies a **PrimitiveDictionary** that's sent to the remote session. Commands and scripts in the
 remote session, including startup scripts in the session configuration, can find this dictionary in
 the **ApplicationArguments** property of the `$PSSenderInfo` automatic variable. You can use this
 parameter to send data to the remote session.
 
-For more information, see [about_Hash_Tables](about/about_Hash_Tables.md),
+> [!IMPORTANT]
+> Since this property contains data explicitly provided by the client, using this for security
+> decisions could allow attackers to bypass authorization controls. Never use this data for trust
+> decisions. [Validate all user input](https://top10proactive.owasp.org/archive/2024/the-top-10/c3-validate-input-and-handle-exceptions/)
+> when used for other application logic.
+
+For more information, see [about_Hash_Tables](About/about_Hash_Tables.md),
 [about_Session_Configurations](About/about_Session_Configurations.md), and
-[about_Automatic_Variables](about/about_Automatic_Variables.md).
+[about_Automatic_Variables](About/about_Automatic_Variables.md).
 
 ```yaml
 Type: System.Management.Automation.PSPrimitiveDictionary

reference/7.5/Microsoft.PowerShell.Core/About/about_Automatic_Variables.md

@@ -1,7 +1,7 @@
 ---
 description: Describes variables that store state information for PowerShell. These variables are created and maintained by PowerShell.
 Locale: en-US
-ms.date: 01/18/2026
+ms.date: 02/10/2026
 no-loc: [Reset, Current, Background, Blink, Bold, Foreground, Formatting, Hidden, Italic, Reset, Reverse, Underline, PSEventArgs, PSEventSubscriber, PSEdition]
 online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_automatic_variables?view=powershell-7.5&WT.mc_id=ps-gethelp
 schema: 2.0.0
@@ -619,6 +619,12 @@ from the originating session. To add data to the **ApplicationArguments**
 property, use the **ApplicationArguments** parameter of the
 `New-PSSessionOption` cmdlet.
 
+> [!IMPORTANT]
+> Since this property contains data explicitly provided by the client, using
+> this for security decisions could allow attackers to bypass authorization
+> controls. Never use this data for trust decisions.
+> [Validate all user input][78] when used for other application logic.
+
 ### `$PSUICulture`
 
 Contains the name of the user interface (UI) culture that's configured in the
@@ -1154,4 +1160,4 @@ Default (Current): End
 [75]: xref:System.Collections.IEnumerator.Current
 [76]: xref:System.Collections.IEnumerator.MoveNext
 [77]: xref:System.Collections.IEnumerator.Reset
-
+[78]: https://top10proactive.owasp.org/archive/2024/the-top-10/c3-validate-input-and-handle-exceptions/

reference/7.5/Microsoft.PowerShell.Core/New-PSSessionOption.md

@@ -2,7 +2,7 @@
 external help file: System.Management.Automation.dll-Help.xml
 Locale: en-US
 Module Name: Microsoft.PowerShell.Core
-ms.date: 12/09/2022
+ms.date: 02/10/2026
 online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.core/new-pssessionoption?view=powershell-7.5&WT.mc_id=ps-gethelp
 schema: 2.0.0
 title: New-PSSessionOption
@@ -267,11 +267,17 @@ The final `Invoke-Command` shows how the data might be used.
 
 ### -ApplicationArguments
 
-Specifies a **PrimitiveDictionary** that is sent to the remote session. Commands and scripts in the
+Specifies a **PrimitiveDictionary** that's sent to the remote session. Commands and scripts in the
 remote session, including startup scripts in the session configuration, can find this dictionary in
 the **ApplicationArguments** property of the `$PSSenderInfo` automatic variable. You can use this
 parameter to send data to the remote session.
 
+> [!IMPORTANT]
+> Since this property contains data explicitly provided by the client, using this for security
+> decisions could allow attackers to bypass authorization controls. Never use this data for trust
+> decisions. [Validate all user input](https://top10proactive.owasp.org/archive/2024/the-top-10/c3-validate-input-and-handle-exceptions/)
+> when used for other application logic.
+
 For more information, see [about_Hash_Tables](About/about_Hash_Tables.md),
 [about_Session_Configurations](About/about_Session_Configurations.md), and
 [about_Automatic_Variables](About/about_Automatic_Variables.md).

reference/7.6/Microsoft.PowerShell.Core/About/about_Automatic_Variables.md

@@ -1,7 +1,7 @@
 ---
 description: Describes variables that store state information for PowerShell. These variables are created and maintained by PowerShell.
 Locale: en-US
-ms.date: 01/18/2026
+ms.date: 02/10/2026
 no-loc: [Reset, Current, Background, Blink, Bold, Foreground, Formatting, Hidden, Italic, Reset, Reverse, Underline, PSEventArgs, PSEventSubscriber, PSEdition]
 online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_automatic_variables?view=powershell-7.6&WT.mc_id=ps-gethelp
 schema: 2.0.0
@@ -619,6 +619,12 @@ from the originating session. To add data to the **ApplicationArguments**
 property, use the **ApplicationArguments** parameter of the
 `New-PSSessionOption` cmdlet.
 
+> [!IMPORTANT]
+> Since this property contains data explicitly provided by the client, using
+> this for security decisions could allow attackers to bypass authorization
+> controls. Never use this data for trust decisions.
+> [Validate all user input][78] when used for other application logic.
+
 ### `$PSUICulture`
 
 Contains the name of the user interface (UI) culture that's configured in the
@@ -1154,4 +1160,4 @@ Default (Current): End
 [75]: xref:System.Collections.IEnumerator.Current
 [76]: xref:System.Collections.IEnumerator.MoveNext
 [77]: xref:System.Collections.IEnumerator.Reset
-
+[78]: https://top10proactive.owasp.org/archive/2024/the-top-10/c3-validate-input-and-handle-exceptions/

reference/7.6/Microsoft.PowerShell.Core/New-PSSessionOption.md

@@ -2,7 +2,7 @@
 external help file: System.Management.Automation.dll-Help.xml
 Locale: en-US
 Module Name: Microsoft.PowerShell.Core
-ms.date: 12/09/2022
+ms.date: 02/10/2026
 online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.core/new-pssessionoption?view=powershell-7.6&WT.mc_id=ps-gethelp
 schema: 2.0.0
 title: New-PSSessionOption
@@ -267,14 +267,20 @@ The final `Invoke-Command` shows how the data might be used.
 
 ### -ApplicationArguments
 
-Specifies a **PrimitiveDictionary** that is sent to the remote session. Commands and scripts in the
+Specifies a **PrimitiveDictionary** that's sent to the remote session. Commands and scripts in the
 remote session, including startup scripts in the session configuration, can find this dictionary in
 the **ApplicationArguments** property of the `$PSSenderInfo` automatic variable. You can use this
 parameter to send data to the remote session.
 
-For more information, see [about_Hash_Tables](about/about_Hash_Tables.md),
+> [!IMPORTANT]
+> Since this property contains data explicitly provided by the client, using this for security
+> decisions could allow attackers to bypass authorization controls. Never use this data for trust
+> decisions. [Validate all user input](https://top10proactive.owasp.org/archive/2024/the-top-10/c3-validate-input-and-handle-exceptions/)
+> when used for other application logic.
+
+For more information, see [about_Hash_Tables](About/about_Hash_Tables.md),
 [about_Session_Configurations](About/about_Session_Configurations.md), and
-[about_Automatic_Variables](about/about_Automatic_Variables.md).
+[about_Automatic_Variables](About/about_Automatic_Variables.md).
 
 ```yaml
 Type: System.Management.Automation.PSPrimitiveDictionary