StyleCop and FxCop fixes.

25 files changed, 296 insertions, 182 deletions

diff --git a/src/DotNetOpenAuth/ComponentModel/ConverterBase.cs b/src/DotNetOpenAuth/ComponentModel/ConverterBase.cs
index 37f9c78..980d90f 100644
--- a/src/DotNetOpenAuth/ComponentModel/ConverterBase.cs
+++ b/src/DotNetOpenAuth/ComponentModel/ConverterBase.cs
@@ -144,6 +144,7 @@ using System.Reflection;
 		/// The conversion cannot be performed.
 		/// </exception>
 		public override object ConvertTo(ITypeDescriptorContext context, CultureInfo culture, object value, Type destinationType) {
+			Contract.Assume(destinationType != null, "Missing contract.");
 			if (destinationType.IsInstanceOfType(value)) {
 				return value;
 			}
diff --git a/src/DotNetOpenAuth/DotNetOpenAuth.csproj b/src/DotNetOpenAuth/DotNetOpenAuth.csproj
index 3dee328..bca2a84 100644
--- a/src/DotNetOpenAuth/DotNetOpenAuth.csproj
+++ b/src/DotNetOpenAuth/DotNetOpenAuth.csproj
@@ -163,7 +163,7 @@ http://opensource.org/licenses/ms-pl.html
     <CodeContractsEmitXMLDocs>True</CodeContractsEmitXMLDocs>
     <CodeContractsRedundantAssumptions>False</CodeContractsRedundantAssumptions>
     <CodeContractsReferenceAssembly>Build</CodeContractsReferenceAssembly>
-    <CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
+    <CodeAnalysisRuleSet>Migrated rules for DotNetOpenAuth.ruleset</CodeAnalysisRuleSet>
   </PropertyGroup>
   <ItemGroup>
     <Reference Include="log4net, Version=1.2.10.0, Culture=neutral, PublicKeyToken=1b44e1d426115821, processorArchitecture=MSIL">
diff --git a/src/DotNetOpenAuth/GlobalSuppressions.cs b/src/DotNetOpenAuth/GlobalSuppressions.cs
index e436846..9b1bcfa 100644
--- a/src/DotNetOpenAuth/GlobalSuppressions.cs
+++ b/src/DotNetOpenAuth/GlobalSuppressions.cs
@@ -57,3 +57,6 @@
 [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Design", "CA1033:InterfaceMethodsShouldBeCallableByChildTypes", Scope = "member", Target = "DotNetOpenAuth.OpenId.Behaviors.AXFetchAsSregTransform.#DotNetOpenAuth.OpenId.Provider.IProviderBehavior.OnIncomingRequest(DotNetOpenAuth.OpenId.Provider.IRequest)")]
 [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Design", "CA1033:InterfaceMethodsShouldBeCallableByChildTypes", Scope = "member", Target = "DotNetOpenAuth.OpenId.Behaviors.AXFetchAsSregTransform.#DotNetOpenAuth.OpenId.Provider.IProviderBehavior.ApplySecuritySettings(DotNetOpenAuth.OpenId.Provider.ProviderSecuritySettings)")]
 [assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Usage", "CA2243:AttributeStringLiteralsShouldParseCorrectly")]
+[assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Design", "CA1020:AvoidNamespacesWithFewTypes", Scope = "namespace", Target = "DotNetOpenAuth.Mvc")]
+[assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Naming", "CA1704:IdentifiersShouldBeSpelledCorrectly", MessageId = "Mvc", Scope = "namespace", Target = "DotNetOpenAuth.Mvc")]
+[assembly: System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Portability", "CA1903:UseOnlyApiFromTargetedFramework", MessageId = "System.Web.Routing, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35")]
diff --git a/src/DotNetOpenAuth/InfoCard/InfoCardSelector.cs b/src/DotNetOpenAuth/InfoCard/InfoCardSelector.cs
index 86c1118..ae45229 100644
--- a/src/DotNetOpenAuth/InfoCard/InfoCardSelector.cs
+++ b/src/DotNetOpenAuth/InfoCard/InfoCardSelector.cs
@@ -268,6 +268,7 @@ namespace DotNetOpenAuth.InfoCard {
 		[Category(InfoCardCategory), DefaultValue(PrivacyUrlDefault)]
 		[SuppressMessage("Microsoft.Usage", "CA1806:DoNotIgnoreMethodResults", MessageId = "System.Uri", Justification = "We construct a Uri to validate the format of the string.")]
 		[SuppressMessage("Microsoft.Usage", "CA2234:PassSystemUriObjectsInsteadOfStrings", Justification = "That overload is NOT the same.")]
+		[SuppressMessage("Microsoft.Design", "CA1056:UriPropertiesShouldNotBeStrings", Justification = "This can take ~/ paths.")]
 		public string PrivacyUrl {
 			get {
 				return (string)this.ViewState[PrivacyUrlViewStateKey] ?? PrivacyUrlDefault;
@@ -570,24 +571,28 @@ namespace DotNetOpenAuth.InfoCard {
 
 			Panel supportedPanel = new Panel();
 
-			if (!this.DesignMode) {
-				// At the user agent, assume InfoCard is not supported until
-				// the JavaScript discovers otherwise and reveals this panel.
-				supportedPanel.Style[HtmlTextWriterStyle.Display] = "none";
-			}
+			try {
+				if (!this.DesignMode) {
+					// At the user agent, assume InfoCard is not supported until
+					// the JavaScript discovers otherwise and reveals this panel.
+					supportedPanel.Style[HtmlTextWriterStyle.Display] = "none";
+				}
 
-			supportedPanel.Controls.Add(this.CreateInfoCardImage());
+				supportedPanel.Controls.Add(this.CreateInfoCardImage());
 
-			// trigger the selector at page load?
-			if (this.AutoPopup && !this.Page.IsPostBack) {
-				this.Page.ClientScript.RegisterStartupScript(
-					typeof(InfoCardSelector),
-					"selector_load_trigger",
-					this.GetInfoCardSelectorActivationScript(true),
-					true);
+				// trigger the selector at page load?
+				if (this.AutoPopup && !this.Page.IsPostBack) {
+					this.Page.ClientScript.RegisterStartupScript(
+						typeof(InfoCardSelector),
+						"selector_load_trigger",
+						this.GetInfoCardSelectorActivationScript(true),
+						true);
+				}
+				return supportedPanel;
+			} catch {
+				supportedPanel.Dispose();
+				throw;
 			}
-
-			return supportedPanel;
 		}
 
 		/// <summary>
@@ -624,10 +629,15 @@ namespace DotNetOpenAuth.InfoCard {
 			Contract.Ensures(Contract.Result<Panel>() != null);
 
 			Panel unsupportedPanel = new Panel();
-			if (this.UnsupportedTemplate != null) {
-				this.UnsupportedTemplate.InstantiateIn(unsupportedPanel);
+			try {
+				if (this.UnsupportedTemplate != null) {
+					this.UnsupportedTemplate.InstantiateIn(unsupportedPanel);
+				}
+				return unsupportedPanel;
+			} catch {
+				unsupportedPanel.Dispose();
+				throw;
 			}
-			return unsupportedPanel;
 		}
 
 		/// <summary>
@@ -692,13 +702,18 @@ namespace DotNetOpenAuth.InfoCard {
 		private Image CreateInfoCardImage() {
 			// add clickable image
 			Image image = new Image();
-			image.ImageUrl = this.Page.ClientScript.GetWebResourceUrl(typeof(InfoCardSelector), InfoCardImage.GetImageManifestResourceStreamName(this.ImageSize));
-			image.AlternateText = InfoCardStrings.SelectorClickPrompt;
-			image.ToolTip = this.ToolTip;
-			image.Style[HtmlTextWriterStyle.Cursor] = "hand";
-
-			image.Attributes["onclick"] = this.GetInfoCardSelectorActivationScript(false);
-			return image;
+			try {
+				image.ImageUrl = this.Page.ClientScript.GetWebResourceUrl(typeof(InfoCardSelector), InfoCardImage.GetImageManifestResourceStreamName(this.ImageSize));
+				image.AlternateText = InfoCardStrings.SelectorClickPrompt;
+				image.ToolTip = this.ToolTip;
+				image.Style[HtmlTextWriterStyle.Cursor] = "hand";
+
+				image.Attributes["onclick"] = this.GetInfoCardSelectorActivationScript(false);
+				return image;
+			} catch {
+				image.Dispose();
+				throw;
+			}
 		}
 
 		/// <summary>
diff --git a/src/DotNetOpenAuth/InfoCard/ReceivingTokenEventArgs.cs b/src/DotNetOpenAuth/InfoCard/ReceivingTokenEventArgs.cs
index 124f9f8..2ac2b7e 100644
--- a/src/DotNetOpenAuth/InfoCard/ReceivingTokenEventArgs.cs
+++ b/src/DotNetOpenAuth/InfoCard/ReceivingTokenEventArgs.cs
@@ -74,7 +74,13 @@ namespace DotNetOpenAuth.InfoCard {
 		public void AddDecryptingToken(X509Certificate2 certificate) {
 			Contract.Requires<ArgumentNullException>(certificate != null);
 			Contract.Requires<ArgumentException>(certificate.HasPrivateKey);
-			this.AddDecryptingToken(new X509SecurityToken(certificate));
+			var cert = new X509SecurityToken(certificate);
+			try {
+				this.AddDecryptingToken(cert);
+			} catch {
+				cert.Dispose();
+				throw;
+			}
 		}
 
 #if CONTRACTS_FULL
diff --git a/src/DotNetOpenAuth/InfoCard/Token/Token.cs b/src/DotNetOpenAuth/InfoCard/Token/Token.cs
index 7fa9a95..89fa3a3 100644
--- a/src/DotNetOpenAuth/InfoCard/Token/Token.cs
+++ b/src/DotNetOpenAuth/InfoCard/Token/Token.cs
@@ -49,16 +49,18 @@ namespace DotNetOpenAuth.InfoCard {
 			byte[] decryptedBytes;
 			string decryptedString;
 
-			using (XmlReader tokenReader = XmlReader.Create(new StringReader(tokenXml))) {
-				Contract.Assume(tokenReader != null); // BCL contract should say XmlReader.Create result != null
-				if (IsEncrypted(tokenReader)) {
-					Logger.InfoCard.DebugFormat("Incoming SAML token, before decryption: {0}", tokenXml);
-					decryptedBytes = decryptor.DecryptToken(tokenReader);
-					decryptedString = Encoding.UTF8.GetString(decryptedBytes);
-					Contract.Assume(decryptedString != null); // BCL contracts should be enhanced here
-				} else {
-					decryptedBytes = Encoding.UTF8.GetBytes(tokenXml);
-					decryptedString = tokenXml;
+			using (StringReader xmlReader = new StringReader(tokenXml)) {
+				using (XmlReader tokenReader = XmlReader.Create(xmlReader)) {
+					Contract.Assume(tokenReader != null); // BCL contract should say XmlReader.Create result != null
+					if (IsEncrypted(tokenReader)) {
+						Logger.InfoCard.DebugFormat("Incoming SAML token, before decryption: {0}", tokenXml);
+						decryptedBytes = decryptor.DecryptToken(tokenReader);
+						decryptedString = Encoding.UTF8.GetString(decryptedBytes);
+						Contract.Assume(decryptedString != null); // BCL contracts should be enhanced here
+					} else {
+						decryptedBytes = Encoding.UTF8.GetBytes(tokenXml);
+						decryptedString = tokenXml;
+					}
 				}
 			}
 
diff --git a/src/DotNetOpenAuth/InfoCard/Token/TokenUtility.cs b/src/DotNetOpenAuth/InfoCard/Token/TokenUtility.cs
index 48b7794..4ac871a 100644
--- a/src/DotNetOpenAuth/InfoCard/Token/TokenUtility.cs
+++ b/src/DotNetOpenAuth/InfoCard/Token/TokenUtility.cs
@@ -226,7 +226,9 @@ namespace DotNetOpenAuth.InfoCard {
 			int charMapLength = charMap.Length;
 
 			byte[] raw = Convert.FromBase64String(ppid);
-			raw = SHA1.Create().ComputeHash(raw);
+			using (HashAlgorithm hasher = SHA1.Create()) {
+				raw = hasher.ComputeHash(raw);
+			}
 
 			StringBuilder callSign = new StringBuilder();
 
diff --git a/src/DotNetOpenAuth/Messaging/Channel.cs b/src/DotNetOpenAuth/Messaging/Channel.cs
index 7198c78..055ce68 100644
--- a/src/DotNetOpenAuth/Messaging/Channel.cs
+++ b/src/DotNetOpenAuth/Messaging/Channel.cs
@@ -695,27 +695,28 @@ namespace DotNetOpenAuth.Messaging {
 
 			WebHeaderCollection headers = new WebHeaderCollection();
 			headers.Add(HttpResponseHeader.ContentType, "text/html");
-			StringWriter bodyWriter = new StringWriter(CultureInfo.InvariantCulture);
-			StringBuilder hiddenFields = new StringBuilder();
-			foreach (var field in fields) {
-				hiddenFields.AppendFormat(
-					"\t<input type=\"hidden\" name=\"{0}\" value=\"{1}\" />\r\n",
-					HttpUtility.HtmlEncode(field.Key),
-					HttpUtility.HtmlEncode(field.Value));
+			using (StringWriter bodyWriter = new StringWriter(CultureInfo.InvariantCulture)) {
+				StringBuilder hiddenFields = new StringBuilder();
+				foreach (var field in fields) {
+					hiddenFields.AppendFormat(
+						"\t<input type=\"hidden\" name=\"{0}\" value=\"{1}\" />\r\n",
+						HttpUtility.HtmlEncode(field.Key),
+						HttpUtility.HtmlEncode(field.Value));
+				}
+				bodyWriter.WriteLine(
+					IndirectMessageFormPostFormat,
+					HttpUtility.HtmlEncode(message.Recipient.AbsoluteUri),
+					hiddenFields);
+				bodyWriter.Flush();
+				OutgoingWebResponse response = new OutgoingWebResponse {
+					Status = HttpStatusCode.OK,
+					Headers = headers,
+					Body = bodyWriter.ToString(),
+					OriginalMessage = message
+				};
+
+				return response;
 			}
-			bodyWriter.WriteLine(
-				IndirectMessageFormPostFormat,
-				HttpUtility.HtmlEncode(message.Recipient.AbsoluteUri),
-				hiddenFields);
-			bodyWriter.Flush();
-			OutgoingWebResponse response = new OutgoingWebResponse {
-				Status = HttpStatusCode.OK,
-				Headers = headers,
-				Body = bodyWriter.ToString(),
-				OriginalMessage = message
-			};
-
-			return response;
 		}
 
 		/// <summary>
diff --git a/src/DotNetOpenAuth/Migrated rules for DotNetOpenAuth.ruleset b/src/DotNetOpenAuth/Migrated rules for DotNetOpenAuth.ruleset
index cee6f53..db238b6 100644
--- a/src/DotNetOpenAuth/Migrated rules for DotNetOpenAuth.ruleset
+++ b/src/DotNetOpenAuth/Migrated rules for DotNetOpenAuth.ruleset
@@ -5,5 +5,6 @@
     <Rule Id="CA1054" Action="None" />
     <Rule Id="CA1055" Action="None" />
     <Rule Id="CA1056" Action="None" />
+    <Rule Id="CA2104" Action="None" />
   </Rules>
 </RuleSet>
\ No newline at end of file
diff --git a/src/DotNetOpenAuth/OAuth/ChannelElements/SigningBindingElementBase.cs b/src/DotNetOpenAuth/OAuth/ChannelElements/SigningBindingElementBase.cs
index b45da66..cf09036 100644
--- a/src/DotNetOpenAuth/OAuth/ChannelElements/SigningBindingElementBase.cs
+++ b/src/DotNetOpenAuth/OAuth/ChannelElements/SigningBindingElementBase.cs
@@ -258,6 +258,8 @@ namespace DotNetOpenAuth.OAuth.ChannelElements {
 		/// 	<c>true</c> if the signature on the message is valid; otherwise, <c>false</c>.
 		/// </returns>
 		protected virtual bool IsSignatureValid(ITamperResistantOAuthMessage message) {
+			Contract.Requires<ArgumentNullException>(message != null);
+
 			string signature = this.GetSignature(message);
 			return message.Signature == signature;
 		}
diff --git a/src/DotNetOpenAuth/OpenId/Association.cs b/src/DotNetOpenAuth/OpenId/Association.cs
index 62e91ec..3c7e89f 100644
--- a/src/DotNetOpenAuth/OpenId/Association.cs
+++ b/src/DotNetOpenAuth/OpenId/Association.cs
@@ -238,24 +238,28 @@ namespace DotNetOpenAuth.OpenId {
 		/// </returns>
 		public override int GetHashCode() {
 			HMACSHA1 hmac = new HMACSHA1(this.SecretKey);
-			CryptoStream cs = new CryptoStream(Stream.Null, hmac, CryptoStreamMode.Write);
+			try {
+				CryptoStream cs = new CryptoStream(Stream.Null, hmac, CryptoStreamMode.Write);
 
-			byte[] hbytes = ASCIIEncoding.ASCII.GetBytes(this.Handle);
+				byte[] hbytes = ASCIIEncoding.ASCII.GetBytes(this.Handle);
 
-			cs.Write(hbytes, 0, hbytes.Length);
-			cs.Close();
+				cs.Write(hbytes, 0, hbytes.Length);
+				cs.Close();
 
-			byte[] hash = hmac.Hash;
-			hmac.Clear();
+				byte[] hash = hmac.Hash;
+				hmac.Clear();
 
-			long val = 0;
-			for (int i = 0; i < hash.Length; i++) {
-				val = val ^ (long)hash[i];
-			}
+				long val = 0;
+				for (int i = 0; i < hash.Length; i++) {
+					val = val ^ (long)hash[i];
+				}
 
-			val = val ^ this.Expires.ToFileTimeUtc();
+				val = val ^ this.Expires.ToFileTimeUtc();
 
-			return (int)val;
+				return (int)val;
+			} finally {
+				((IDisposable)hmac).Dispose();
+			}
 		}
 
 		/// <summary>
diff --git a/src/DotNetOpenAuth/OpenId/Extensions/UI/UIRequest.cs b/src/DotNetOpenAuth/OpenId/Extensions/UI/UIRequest.cs
index bafdda5..f178647 100644
--- a/src/DotNetOpenAuth/OpenId/Extensions/UI/UIRequest.cs
+++ b/src/DotNetOpenAuth/OpenId/Extensions/UI/UIRequest.cs
@@ -76,7 +76,7 @@ namespace DotNetOpenAuth.OpenId.Extensions.UI {
 		public CultureInfo[] LanguagePreference { get; set; }
 
 		/// <summary>
-		/// Gets the style of UI that the RP is hosting the OP's authentication page in.
+		/// Gets or sets the style of UI that the RP is hosting the OP's authentication page in.
 		/// </summary>
 		/// <value>Some value from the <see cref="UIModes"/> class.  Defaults to <see cref="UIModes.Popup"/>.</value>
 		[MessagePart("mode", AllowEmpty = false, IsRequired = true)]
diff --git a/src/DotNetOpenAuth/OpenId/HostMetaDiscoveryService.cs b/src/DotNetOpenAuth/OpenId/HostMetaDiscoveryService.cs
index e96f362..7603f9f 100644
--- a/src/DotNetOpenAuth/OpenId/HostMetaDiscoveryService.cs
+++ b/src/DotNetOpenAuth/OpenId/HostMetaDiscoveryService.cs
@@ -217,9 +217,9 @@ namespace DotNetOpenAuth.OpenId {
 			Contract.Requires<ArgumentNullException>(response != null);
 
 			var signatureNode = document.Node.SelectSingleNode("/xrds:XRDS/ds:Signature", document.XmlNamespaceResolver);
-			ErrorUtilities.VerifyProtocol(signatureNode != null, "Missing Signature element.");
+			ErrorUtilities.VerifyProtocol(signatureNode != null, OpenIdStrings.MissingElement, "Signature");
 			var signedInfoNode = signatureNode.SelectSingleNode("ds:SignedInfo", document.XmlNamespaceResolver);
-			ErrorUtilities.VerifyProtocol(signedInfoNode != null, "Missing SignedInfo element.");
+			ErrorUtilities.VerifyProtocol(signedInfoNode != null, OpenIdStrings.MissingElement, "SignedInfo");
 			ErrorUtilities.VerifyProtocol(
 				signedInfoNode.SelectSingleNode("ds:CanonicalizationMethod[@Algorithm='http://docs.oasis-open.org/xri/xrd/2009/01#canonicalize-raw-octets']", document.XmlNamespaceResolver) != null,
 				"Unrecognized or missing canonicalization method.");
@@ -227,7 +227,7 @@ namespace DotNetOpenAuth.OpenId {
 				signedInfoNode.SelectSingleNode("ds:SignatureMethod[@Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1']", document.XmlNamespaceResolver) != null,
 				"Unrecognized or missing signature method.");
 			var certNodes = signatureNode.Select("ds:KeyInfo/ds:X509Data/ds:X509Certificate", document.XmlNamespaceResolver);
-			ErrorUtilities.VerifyProtocol(certNodes.Count > 0, "Missing X509Certificate element.");
+			ErrorUtilities.VerifyProtocol(certNodes.Count > 0, OpenIdStrings.MissingElement, "X509Certificate");
 			var certs = certNodes.Cast<XPathNavigator>().Select(n => new X509Certificate2(Convert.FromBase64String(n.Value.Trim()))).ToList();
 
 			// Verify that we trust the signer of the certificates.
diff --git a/src/DotNetOpenAuth/OpenId/OpenIdStrings.Designer.cs b/src/DotNetOpenAuth/OpenId/OpenIdStrings.Designer.cs
index 9c2c88c..43283ac 100644
--- a/src/DotNetOpenAuth/OpenId/OpenIdStrings.Designer.cs
+++ b/src/DotNetOpenAuth/OpenId/OpenIdStrings.Designer.cs
@@ -425,6 +425,15 @@ namespace DotNetOpenAuth.OpenId {
         }
         
         /// <summary>
+        ///   Looks up a localized string similar to Missing {0} element..
+        /// </summary>
+        internal static string MissingElement {
+            get {
+                return ResourceManager.GetString("MissingElement", resourceCulture);
+            }
+        }
+        
+        /// <summary>
         ///   Looks up a localized string similar to No recognized association type matches the requested length of {0}..
         /// </summary>
         internal static string NoAssociationTypeFoundByLength {
diff --git a/src/DotNetOpenAuth/OpenId/OpenIdStrings.resx b/src/DotNetOpenAuth/OpenId/OpenIdStrings.resx
index b5eb570..fab03a9 100644
--- a/src/DotNetOpenAuth/OpenId/OpenIdStrings.resx
+++ b/src/DotNetOpenAuth/OpenId/OpenIdStrings.resx
@@ -352,4 +352,7 @@ Discovered endpoint info:
   <data name="ClaimedIdentifierDefiesDotNetNormalization" xml:space="preserve">
     <value>This OpenID exploits features that this relying party cannot reliably verify.  Please try logging in with a human-readable OpenID or from a different OpenID Provider.</value>
   </data>
+  <data name="MissingElement" xml:space="preserve">
+    <value>Missing {0} element.</value>
+  </data>
 </root>
\ No newline at end of file
diff --git a/src/DotNetOpenAuth/OpenId/RelyingParty/OpenIdLogin.cs b/src/DotNetOpenAuth/OpenId/RelyingParty/OpenIdLogin.cs
index c13c61c..4aa78a5 100644
--- a/src/DotNetOpenAuth/OpenId/RelyingParty/OpenIdLogin.cs
+++ b/src/DotNetOpenAuth/OpenId/RelyingParty/OpenIdLogin.cs
@@ -702,79 +702,104 @@ namespace DotNetOpenAuth.OpenId.RelyingParty {
 
 			// top row, left cell
 			cell = new TableCell();
-			this.label = new HtmlGenericControl("label");
-			this.label.InnerText = LabelTextDefault;
-			cell.Controls.Add(this.label);
-			row1.Cells.Add(cell);
+			try {
+				this.label = new HtmlGenericControl("label");
+				this.label.InnerText = LabelTextDefault;
+				cell.Controls.Add(this.label);
+				row1.Cells.Add(cell);
+			} catch {
+				cell.Dispose();
+				throw;
+			}
 
 			// top row, middle cell
 			cell = new TableCell();
-			cell.Controls.Add(new InPlaceControl(this));
-			row1.Cells.Add(cell);
+			try {
+				cell.Controls.Add(new InPlaceControl(this));
+				row1.Cells.Add(cell);
+			} catch {
+				cell.Dispose();
+				throw;
+			}
 
 			// top row, right cell
 			cell = new TableCell();
-			this.loginButton = new Button();
-			this.loginButton.ID = "loginButton";
-			this.loginButton.Text = ButtonTextDefault;
-			this.loginButton.ToolTip = ButtonToolTipDefault;
-			this.loginButton.Click += this.LoginButton_Click;
-			this.loginButton.ValidationGroup = ValidationGroupDefault;
+			try {
+				this.loginButton = new Button();
+				this.loginButton.ID = "loginButton";
+				this.loginButton.Text = ButtonTextDefault;
+				this.loginButton.ToolTip = ButtonToolTipDefault;
+				this.loginButton.Click += this.LoginButton_Click;
+				this.loginButton.ValidationGroup = ValidationGroupDefault;
 #if !Mono
-			this.panel.DefaultButton = this.loginButton.ID;
+				this.panel.DefaultButton = this.loginButton.ID;
 #endif
-			cell.Controls.Add(this.loginButton);
-			row1.Cells.Add(cell);
+				cell.Controls.Add(this.loginButton);
+				row1.Cells.Add(cell);
+			} catch {
+				cell.Dispose();
+				throw;
+			}
 
 			// middle row, left cell
 			row2.Cells.Add(new TableCell());
 
 			// middle row, middle cell
 			cell = new TableCell();
-			cell.Style[HtmlTextWriterStyle.Color] = "gray";
-			cell.Style[HtmlTextWriterStyle.FontSize] = "smaller";
-			this.requiredValidator = new RequiredFieldValidator();
-			this.requiredValidator.ErrorMessage = RequiredTextDefault + RequiredTextSuffix;
-			this.requiredValidator.Text = RequiredTextDefault + RequiredTextSuffix;
-			this.requiredValidator.Display = ValidatorDisplay.Dynamic;
-			this.requiredValidator.ValidationGroup = ValidationGroupDefault;
-			cell.Controls.Add(this.requiredValidator);
-			this.identifierFormatValidator = new CustomValidator();
-			this.identifierFormatValidator.ErrorMessage = UriFormatTextDefault + RequiredTextSuffix;
-			this.identifierFormatValidator.Text = UriFormatTextDefault + RequiredTextSuffix;
-			this.identifierFormatValidator.ServerValidate += this.IdentifierFormatValidator_ServerValidate;
-			this.identifierFormatValidator.Enabled = UriValidatorEnabledDefault;
-			this.identifierFormatValidator.Display = ValidatorDisplay.Dynamic;
-			this.identifierFormatValidator.ValidationGroup = ValidationGroupDefault;
-			cell.Controls.Add(this.identifierFormatValidator);
-			this.errorLabel = new Label();
-			this.errorLabel.EnableViewState = false;
-			this.errorLabel.ForeColor = System.Drawing.Color.Red;
-			this.errorLabel.Style[HtmlTextWriterStyle.Display] = "block"; // puts it on its own line
-			this.errorLabel.Visible = false;
-			cell.Controls.Add(this.errorLabel);
-			this.examplePrefixLabel = new Label();
-			this.examplePrefixLabel.Text = ExamplePrefixDefault;
-			cell.Controls.Add(this.examplePrefixLabel);
-			cell.Controls.Add(new LiteralControl(" "));
-			this.exampleUrlLabel = new Label();
-			this.exampleUrlLabel.Font.Bold = true;
-			this.exampleUrlLabel.Text = ExampleUrlDefault;
-			cell.Controls.Add(this.exampleUrlLabel);
-			row2.Cells.Add(cell);
+			try {
+				cell.Style[HtmlTextWriterStyle.Color] = "gray";
+				cell.Style[HtmlTextWriterStyle.FontSize] = "smaller";
+				this.requiredValidator = new RequiredFieldValidator();
+				this.requiredValidator.ErrorMessage = RequiredTextDefault + RequiredTextSuffix;
+				this.requiredValidator.Text = RequiredTextDefault + RequiredTextSuffix;
+				this.requiredValidator.Display = ValidatorDisplay.Dynamic;
+				this.requiredValidator.ValidationGroup = ValidationGroupDefault;
+				cell.Controls.Add(this.requiredValidator);
+				this.identifierFormatValidator = new CustomValidator();
+				this.identifierFormatValidator.ErrorMessage = UriFormatTextDefault + RequiredTextSuffix;
+				this.identifierFormatValidator.Text = UriFormatTextDefault + RequiredTextSuffix;
+				this.identifierFormatValidator.ServerValidate += this.IdentifierFormatValidator_ServerValidate;
+				this.identifierFormatValidator.Enabled = UriValidatorEnabledDefault;
+				this.identifierFormatValidator.Display = ValidatorDisplay.Dynamic;
+				this.identifierFormatValidator.ValidationGroup = ValidationGroupDefault;
+				cell.Controls.Add(this.identifierFormatValidator);
+				this.errorLabel = new Label();
+				this.errorLabel.EnableViewState = false;
+				this.errorLabel.ForeColor = System.Drawing.Color.Red;
+				this.errorLabel.Style[HtmlTextWriterStyle.Display] = "block"; // puts it on its own line
+				this.errorLabel.Visible = false;
+				cell.Controls.Add(this.errorLabel);
+				this.examplePrefixLabel = new Label();
+				this.examplePrefixLabel.Text = ExamplePrefixDefault;
+				cell.Controls.Add(this.examplePrefixLabel);
+				cell.Controls.Add(new LiteralControl(" "));
+				this.exampleUrlLabel = new Label();
+				this.exampleUrlLabel.Font.Bold = true;
+				this.exampleUrlLabel.Text = ExampleUrlDefault;
+				cell.Controls.Add(this.exampleUrlLabel);
+				row2.Cells.Add(cell);
+			} catch {
+				cell.Dispose();
+				throw;
+			}
 
 			// middle row, right cell
 			cell = new TableCell();
-			cell.Style[HtmlTextWriterStyle.Color] = "gray";
-			cell.Style[HtmlTextWriterStyle.FontSize] = "smaller";
-			cell.Style[HtmlTextWriterStyle.TextAlign] = "center";
-			this.registerLink = new HyperLink();
-			this.registerLink.Text = RegisterTextDefault;
-			this.registerLink.ToolTip = RegisterToolTipDefault;
-			this.registerLink.NavigateUrl = RegisterUrlDefault;
-			this.registerLink.Visible = RegisterVisibleDefault;
-			cell.Controls.Add(this.registerLink);
-			row2.Cells.Add(cell);
+			try {
+				cell.Style[HtmlTextWriterStyle.Color] = "gray";
+				cell.Style[HtmlTextWriterStyle.FontSize] = "smaller";
+				cell.Style[HtmlTextWriterStyle.TextAlign] = "center";
+				this.registerLink = new HyperLink();
+				this.registerLink.Text = RegisterTextDefault;
+				this.registerLink.ToolTip = RegisterToolTipDefault;
+				this.registerLink.NavigateUrl = RegisterUrlDefault;
+				this.registerLink.Visible = RegisterVisibleDefault;
+				cell.Controls.Add(this.registerLink);
+				row2.Cells.Add(cell);
+			} catch {
+				cell.Dispose();
+				throw;
+			}
 
 			// bottom row, left cell
 			cell = new TableCell();
@@ -782,17 +807,27 @@ namespace DotNetOpenAuth.OpenId.RelyingParty {
 
 			// bottom row, middle cell
 			cell = new TableCell();
-			this.rememberMeCheckBox = new CheckBox();
-			this.rememberMeCheckBox.Text = RememberMeTextDefault;
-			this.rememberMeCheckBox.Checked = this.UsePersistentCookie != LogOnPersistence.Session;
-			this.rememberMeCheckBox.Visible = RememberMeVisibleDefault;
-			this.rememberMeCheckBox.CheckedChanged += this.RememberMeCheckBox_CheckedChanged;
-			cell.Controls.Add(this.rememberMeCheckBox);
-			row3.Cells.Add(cell);
+			try {
+				this.rememberMeCheckBox = new CheckBox();
+				this.rememberMeCheckBox.Text = RememberMeTextDefault;
+				this.rememberMeCheckBox.Checked = this.UsePersistentCookie != LogOnPersistence.Session;
+				this.rememberMeCheckBox.Visible = RememberMeVisibleDefault;
+				this.rememberMeCheckBox.CheckedChanged += this.RememberMeCheckBox_CheckedChanged;
+				cell.Controls.Add(this.rememberMeCheckBox);
+				row3.Cells.Add(cell);
+			} catch {
+				cell.Dispose();
+				throw;
+			}
 
 			// bottom row, right cell
 			cell = new TableCell();
-			row3.Cells.Add(cell);
+			try {
+				row3.Cells.Add(cell);
+			} catch {
+				cell.Dispose();
+				throw;
+			}
 
 			// this sets all the controls' tab indexes
 			this.TabIndex = TabIndexDefault;
diff --git a/src/DotNetOpenAuth/OpenId/RelyingParty/OpenIdMobileTextBox.cs b/src/DotNetOpenAuth/OpenId/RelyingParty/OpenIdMobileTextBox.cs
index dbf9530..8684bd1 100644
--- a/src/DotNetOpenAuth/OpenId/RelyingParty/OpenIdMobileTextBox.cs
+++ b/src/DotNetOpenAuth/OpenId/RelyingParty/OpenIdMobileTextBox.cs
@@ -762,13 +762,17 @@ namespace DotNetOpenAuth.OpenId.RelyingParty {
 			IRelyingPartyApplicationStore store = this.Stateless ? null :
 				(this.CustomApplicationStore ?? DotNetOpenAuthSection.Configuration.OpenId.RelyingParty.ApplicationStore.CreateInstance(OpenIdRelyingParty.HttpApplicationStore));
 			var rp = new OpenIdRelyingParty(store);
-
-			// Only set RequireSsl to true, as we don't want to override 
-			// a .config setting of true with false.
-			if (this.RequireSsl) {
-				rp.SecuritySettings.RequireSsl = true;
+			try {
+				// Only set RequireSsl to true, as we don't want to override 
+				// a .config setting of true with false.
+				if (this.RequireSsl) {
+					rp.SecuritySettings.RequireSsl = true;
+				}
+				return rp;
+			} catch {
+				rp.Dispose();
+				throw;
 			}
-			return rp;
 		}
 	}
 }
diff --git a/src/DotNetOpenAuth/OpenId/RelyingParty/OpenIdRelyingPartyAjaxControlBase.cs b/src/DotNetOpenAuth/OpenId/RelyingParty/OpenIdRelyingPartyAjaxControlBase.cs
index 37ba8c1..6cea42d 100644
--- a/src/DotNetOpenAuth/OpenId/RelyingParty/OpenIdRelyingPartyAjaxControlBase.cs
+++ b/src/DotNetOpenAuth/OpenId/RelyingParty/OpenIdRelyingPartyAjaxControlBase.cs
@@ -399,6 +399,7 @@ namespace DotNetOpenAuth.OpenId.RelyingParty {
 		/// </summary>
 		/// <param name="writer">The <see cref="T:System.Web.UI.HtmlTextWriter"/> object that receives the server control content.</param>
 		protected override void Render(HtmlTextWriter writer) {
+			Contract.Assume(writer != null, "Missing contract.");
 			base.Render(writer);
 
 			// Emit a hidden field to let the javascript on the user agent know if an
diff --git a/src/DotNetOpenAuth/OpenId/RelyingParty/OpenIdRelyingPartyControlBase.cs b/src/DotNetOpenAuth/OpenId/RelyingParty/OpenIdRelyingPartyControlBase.cs
index 838b749..5090ecd 100644
--- a/src/DotNetOpenAuth/OpenId/RelyingParty/OpenIdRelyingPartyControlBase.cs
+++ b/src/DotNetOpenAuth/OpenId/RelyingParty/OpenIdRelyingPartyControlBase.cs
@@ -358,6 +358,8 @@ namespace DotNetOpenAuth.OpenId.RelyingParty {
 			}
 
 			set {
+				Contract.Requires<ArgumentException>(!string.IsNullOrEmpty(value));
+
 				if (Page != null && !DesignMode) {
 					// Validate new value by trying to construct a Realm object based on it.
 					new Realm(OpenIdUtilities.GetResolvedRealm(this.Page, value, this.RelyingParty.Channel.GetRequestFromContext())); // throws an exception on failure.
diff --git a/src/DotNetOpenAuth/OpenId/RelyingParty/OpenIdSelector.cs b/src/DotNetOpenAuth/OpenId/RelyingParty/OpenIdSelector.cs
index 5b85e7c..b7a54eb 100644
--- a/src/DotNetOpenAuth/OpenId/RelyingParty/OpenIdSelector.cs
+++ b/src/DotNetOpenAuth/OpenId/RelyingParty/OpenIdSelector.cs
@@ -310,11 +310,16 @@ namespace DotNetOpenAuth.OpenId.RelyingParty {
 			this.EnsureValidButtons();
 
 			var css = new HtmlLink();
-			css.Href = this.Page.ClientScript.GetWebResourceUrl(this.GetType(), EmbeddedStylesheetResourceName);
-			css.Attributes["rel"] = "stylesheet";
-			css.Attributes["type"] = "text/css";
-			ErrorUtilities.VerifyHost(this.Page.Header != null, OpenIdStrings.HeadTagMustIncludeRunatServer);
-			this.Page.Header.Controls.AddAt(0, css); // insert at top so host page can override
+			try {
+				css.Href = this.Page.ClientScript.GetWebResourceUrl(this.GetType(), EmbeddedStylesheetResourceName);
+				css.Attributes["rel"] = "stylesheet";
+				css.Attributes["type"] = "text/css";
+				ErrorUtilities.VerifyHost(this.Page.Header != null, OpenIdStrings.HeadTagMustIncludeRunatServer);
+				this.Page.Header.Controls.AddAt(0, css); // insert at top so host page can override
+			} catch {
+				css.Dispose();
+				throw;
+			}
 
 			// Import the .js file where most of the code is.
 			this.Page.ClientScript.RegisterClientScriptResource(typeof(OpenIdSelector), EmbeddedScriptResourceName);
@@ -344,6 +349,7 @@ namespace DotNetOpenAuth.OpenId.RelyingParty {
 		/// </summary>
 		/// <param name="writer">The <see cref="T:System.Web.UI.HtmlTextWriter"/> object that receives the server control content.</param>
 		protected override void Render(HtmlTextWriter writer) {
+			Contract.Assume(writer != null, "Missing contract");
 			writer.AddAttribute(HtmlTextWriterAttribute.Class, "OpenIdProviders");
 			writer.RenderBeginTag(HtmlTextWriterTag.Ul);
 
diff --git a/src/DotNetOpenAuth/OpenId/RelyingParty/OpenIdTextBox.cs b/src/DotNetOpenAuth/OpenId/RelyingParty/OpenIdTextBox.cs
index 08e7aac..335b435 100644
--- a/src/DotNetOpenAuth/OpenId/RelyingParty/OpenIdTextBox.cs
+++ b/src/DotNetOpenAuth/OpenId/RelyingParty/OpenIdTextBox.cs
@@ -584,6 +584,8 @@ namespace DotNetOpenAuth.OpenId.RelyingParty {
 		/// </summary>
 		/// <param name="writer">The <see cref="T:System.Web.UI.HtmlTextWriter"/> object that receives the server control content.</param>
 		protected override void Render(HtmlTextWriter writer) {
+			Contract.Assume(writer != null, "Missing contract.");
+
 			if (this.ShowLogo) {
 				string logoUrl = Page.ClientScript.GetWebResourceUrl(
 					typeof(OpenIdTextBox), EmbeddedLogoResourceName);
@@ -625,6 +627,8 @@ namespace DotNetOpenAuth.OpenId.RelyingParty {
 		/// true if the server control's state changes as a result of the postback; otherwise, false.
 		/// </returns>
 		protected virtual bool LoadPostData(string postDataKey, NameValueCollection postCollection) {
+			Contract.Assume(postCollection != null, "Missing contract");
+
 			// If the control was temporarily hidden, it won't be in the Form data,
 			// and we'll just implicitly keep the last Text setting.
 			if (postCollection[this.Name] != null) {
diff --git a/src/DotNetOpenAuth/OpenId/UriIdentifier.cs b/src/DotNetOpenAuth/OpenId/UriIdentifier.cs
index 0608952..278ae37 100644
--- a/src/DotNetOpenAuth/OpenId/UriIdentifier.cs
+++ b/src/DotNetOpenAuth/OpenId/UriIdentifier.cs
@@ -68,6 +68,7 @@ namespace DotNetOpenAuth.OpenId {
 		/// since some identifiers (like some of the pseudonymous identifiers from Yahoo) include path segments
 		/// that end with periods, which the Uri class will typically trim off.
 		/// </remarks>
+		[SuppressMessage("Microsoft.Performance", "CA1810:InitializeReferenceTypeStaticFieldsInline", Justification = "Some things just can't be done in a field initializer.")]
 		static UriIdentifier() {
 			// Our first attempt to handle trailing periods in path segments is to leverage
 			// full trust if it's available to rewrite the rules.
@@ -531,12 +532,14 @@ namespace DotNetOpenAuth.OpenId {
 
 				// Get the Path out ourselves, since the default Uri parser compresses it too much for OpenID.
 				int schemeLength = value.IndexOf(Uri.SchemeDelimiter, StringComparison.Ordinal);
+				Contract.Assume(schemeLength > 0);
 				int hostStart = schemeLength + Uri.SchemeDelimiter.Length;
 				int hostFinish = value.IndexOf('/', hostStart);
 				if (hostFinish < 0) {
 					this.Path = "/";
 				} else {
 					int pathFinish = value.IndexOfAny(PathEndingCharacters, hostFinish);
+					Contract.Assume(pathFinish >= hostFinish || pathFinish < 0);
 					if (pathFinish < 0) {
 						this.Path = value.Substring(hostFinish);
 					} else {
@@ -663,6 +666,7 @@ namespace DotNetOpenAuth.OpenId {
 			/// Initializes this parser with the actual scheme it should appear to be.
 			/// </summary>
 			/// <param name="hideNonStandardScheme">if set to <c>true</c> Uris using this scheme will look like they're using the original standard scheme.</param>
+			[SuppressMessage("Microsoft.Globalization", "CA1308:NormalizeStringsToUppercase", Justification = "Schemes are traditionally displayed in lowercase.")]
 			internal void Initialize(bool hideNonStandardScheme) {
 				if (schemeField == null) {
 					schemeField = typeof(UriParser).GetField("m_Scheme", BindingFlags.NonPublic | BindingFlags.Instance);
diff --git a/src/DotNetOpenAuth/Reporting.cs b/src/DotNetOpenAuth/Reporting.cs
index c4421c4..612845f 100644
--- a/src/DotNetOpenAuth/Reporting.cs
+++ b/src/DotNetOpenAuth/Reporting.cs
@@ -151,6 +151,7 @@ namespace DotNetOpenAuth {
 		/// </summary>
 		/// <param name="eventName">Name of the event.</param>
 		/// <param name="category">The category within the event.  Null and empty strings are allowed, but considered the same.</param>
+		[SuppressMessage("Microsoft.Reliability", "CA2000:Dispose objects before losing scope", Justification = "PersistentCounter instances are stored in a table for later use.")]
 		internal static void RecordEventOccurrence(string eventName, string category) {
 			Contract.Requires(!String.IsNullOrEmpty(eventName));
 
@@ -318,6 +319,7 @@ namespace DotNetOpenAuth {
 		/// <summary>
 		/// Initializes Reporting if it has not been initialized yet.
 		/// </summary>
+		[SuppressMessage("Microsoft.Design", "CA1031:DoNotCatchGeneralExceptionTypes", Justification = "This method must never throw.")]
 		private static void Initialize() {
 			lock (initializationSync) {
 				if (!broken && !initialized) {
@@ -355,44 +357,49 @@ namespace DotNetOpenAuth {
 		/// <returns>A stream that contains the report.</returns>
 		private static Stream GetReport() {
 			var stream = new MemoryStream();
-			var writer = new StreamWriter(stream, Encoding.UTF8);
-			writer.WriteLine(reportOriginIdentity.ToString("B"));
-			writer.WriteLine(Util.LibraryVersion);
-			writer.WriteLine(".NET Framework {0}", Environment.Version);
-
-			foreach (var observation in observations) {
-				observation.Flush();
-				writer.WriteLine("====================================");
-				writer.WriteLine(observation.FileName);
-				try {
-					using (var fileStream = new IsolatedStorageFileStream(observation.FileName, FileMode.Open, FileAccess.Read, FileShare.ReadWrite, file)) {
-						writer.Flush();
-						fileStream.CopyTo(writer.BaseStream);
+			try {
+				var writer = new StreamWriter(stream, Encoding.UTF8);
+				writer.WriteLine(reportOriginIdentity.ToString("B"));
+				writer.WriteLine(Util.LibraryVersion);
+				writer.WriteLine(".NET Framework {0}", Environment.Version);
+
+				foreach (var observation in observations) {
+					observation.Flush();
+					writer.WriteLine("====================================");
+					writer.WriteLine(observation.FileName);
+					try {
+						using (var fileStream = new IsolatedStorageFileStream(observation.FileName, FileMode.Open, FileAccess.Read, FileShare.ReadWrite, file)) {
+							writer.Flush();
+							fileStream.CopyTo(writer.BaseStream);
+						}
+					} catch (FileNotFoundException) {
+						writer.WriteLine("(missing)");
 					}
-				} catch (FileNotFoundException) {
-					writer.WriteLine("(missing)");
 				}
-			}
 
-			// Not all event counters may have even loaded in this app instance.
-			// We flush the ones in memory, and then read all of them off disk.
-			foreach (var counter in events.Values) {
-				counter.Flush();
-			}
+				// Not all event counters may have even loaded in this app instance.
+				// We flush the ones in memory, and then read all of them off disk.
+				foreach (var counter in events.Values) {
+					counter.Flush();
+				}
 
-			foreach (string eventFile in file.GetFileNames("event-*.txt")) {
-				writer.WriteLine("====================================");
-				writer.WriteLine(eventFile);
-				using (var fileStream = new IsolatedStorageFileStream(eventFile, FileMode.Open, FileAccess.Read, FileShare.ReadWrite, file)) {
-					writer.Flush();
-					fileStream.CopyTo(writer.BaseStream);
+				foreach (string eventFile in file.GetFileNames("event-*.txt")) {
+					writer.WriteLine("====================================");
+					writer.WriteLine(eventFile);
+					using (var fileStream = new IsolatedStorageFileStream(eventFile, FileMode.Open, FileAccess.Read, FileShare.ReadWrite, file)) {
+						writer.Flush();
+						fileStream.CopyTo(writer.BaseStream);
+					}
 				}
-			}
 
-			// Make sure the stream is positioned at the beginning.
-			writer.Flush();
-			stream.Position = 0;
-			return stream;
+				// Make sure the stream is positioned at the beginning.
+				writer.Flush();
+				stream.Position = 0;
+				return stream;
+			} catch {
+				stream.Dispose();
+				throw;
+			}
 		}
 
 		/// <summary>
diff --git a/src/DotNetOpenAuth/Util.cs b/src/DotNetOpenAuth/Util.cs
index 9f8b30c..8a18ef8 100644
--- a/src/DotNetOpenAuth/Util.cs
+++ b/src/DotNetOpenAuth/Util.cs
@@ -126,7 +126,7 @@ namespace DotNetOpenAuth {
 							sb.Append("\t");
 							sb.Append(objString);
 
-							if (!objString.EndsWith(Environment.NewLine)) {
+							if (!objString.EndsWith(Environment.NewLine, StringComparison.Ordinal)) {
 								sb.AppendLine();
 							}
 							sb.AppendLine("}, {");
diff --git a/src/DotNetOpenAuth/XrdsPublisher.cs b/src/DotNetOpenAuth/XrdsPublisher.cs
index e7c04d8..83d82ff 100644
--- a/src/DotNetOpenAuth/XrdsPublisher.cs
+++ b/src/DotNetOpenAuth/XrdsPublisher.cs
@@ -9,6 +9,7 @@ namespace DotNetOpenAuth {
 	using System.Collections.Generic;
 	using System.ComponentModel;
 	using System.Diagnostics.CodeAnalysis;
+	using System.Diagnostics.Contracts;
 	using System.Drawing.Design;
 	using System.Text;
 	using System.Web;
@@ -209,6 +210,7 @@ namespace DotNetOpenAuth {
 		/// <param name="writer">The <see cref="T:System.Web.UI.HtmlTextWriter"/> object that receives the server control content.</param>
 		[SuppressMessage("Microsoft.Usage", "CA2234:PassSystemUriObjectsInsteadOfStrings", Justification = "Uri(Uri, string) accepts second arguments that Uri(Uri, new Uri(string)) does not that we must support.")]
 		protected override void Render(HtmlTextWriter writer) {
+			Contract.Assume(writer != null, "Missing contract.");
 			if (this.Enabled && this.Visible && !string.IsNullOrEmpty(this.XrdsUrl)) {
 				Uri xrdsAddress = new Uri(MessagingUtilities.GetRequestUrlFromContext(), Page.Response.ApplyAppPathModifier(this.XrdsUrl));
 				if ((this.XrdsAdvertisement & XrdsUrlLocations.HttpHeader) != 0) {