XSLT Security Considerations

The XSLT language has a rich set of features that give you a great deal of power and flexibility. It includes many features that, while useful, could also be exploited by outside sources. In order to use XSLT safely, you must understand the types of security issues that arise when using XSLT, and the basic strategies that you can employ to mitigate these risks.

Two popular XSLT extensions are style sheet scripting and extension objects. These extensions allow the XSLT processor to execute code.

• Extension objects add programming capabilities to XSL transformations.

• Scripts can be embedded in the style sheet using the msxsl:script extension element.

Extension objects are added using the AddExtensionObject method. The FullTrust permission set is required to support extension objects. This ensures that elevation of permissions does not happen when extension object code is executed. Attempting to call the AddExtensionObject method without FullTrust permissions results in a security exception being thrown.

Scripts can be embedded in a style sheet using the msxsl:script extension element. Script support is an optional feature on the XslCompiledTransform class that is disabled by default. Scripting can be enabled by setting the XsltSettings.EnableScript property to true and passing the XsltSettings object to the Load method.

Enable scripting only when the style sheet comes from a trusted source. If you cannot verify the source of the style sheet, or if the style sheet does not come from a trusted source, pass in null for the XSLT settings argument.

The XSLT language has features such as xsl:import, xsl:include, or the document() function, where the processor needs to resolve URI references. The XmlResolver class is used to resolve external resources. External resources may need to be resolved in the following two cases:

• When compiling a style sheet, the XmlResolver is used for xsl:import and xsl:include resolution.

• When executing the transformation, the XmlResolver is used to resolve the document() function.

  Note

  The document() function is disabled by default on the XslCompiledTransform class. This feature can be enabled by setting the XsltSettings.EnableDocumentFunction property to true and passing the XsltSettings object to the Load method.

The Load and Transform methods each include overloads that accept an XmlResolver as one of its arguments. If an XmlResolver is not specified, a default XmlUrlResolver with no credentials is used.

Enable the document() function only when the style sheet comes from a trusted source.

The following list describes when you may want to specify an XmlResolver object:

• If the XSLT process needs to access a network resource that requires authentication, you can use an XmlResolver with the necessary credentials.

• If you want to restrict the resources that the XSLT process can access, you can use an XmlSecureResolver with the correct permission set. Use the XmlSecureResolver class if you need to open a resource that you do not control, or that is untrusted.

• If you want to customize behavior, you can implement your own XmlResolver class and use it to resolve resources.

• If you want to ensure that no external resources are accessed, you can specify null for the XmlResolver argument.

• XSLT Transformations
• Resolving External Resources During XSLT Processing