XSLT Security Considerations

The XSLT language has a rich set of features that give you a great deal of power and flexibility. It includes many features that, while useful, could also be exploited by outside sources. In order to use XSLT safely, you must understand the types of security issues that arise when using XSLT, and the basic strategies that you can employ to mitigate these risks.

XSLT Extensions

Two popular XSLT extensions are style sheet scripting and extension objects. These extensions allow the XSLT processor to execute code.

  • Extension objects add programming capabilities to XSL transformations.

  • Scripts can be embedded in the style sheet using the msxsl:script extension element.

Extension Objects

Extension objects are added using the AddExtensionObject method. The FullTrust permission set is required to support extension objects. This ensures that elevation of permissions does not happen when extension object code is executed. Attempting to call the AddExtensionObject method without FullTrust permissions results in a security exception being thrown.

Style Sheet Scripts

Scripts can be embedded in a style sheet using the msxsl:script extension element. Script support is an optional feature on the XslCompiledTransform class that is disabled by default. Scripting can be enabled by setting the XsltSettings.EnableScript property to true and passing the XsltSettings object to the Load method.

Note

Script blocks are supported only in .NET Framework. They are not supported on .NET Core or .NET 5 or later.

Guidelines

Enable scripting only when the style sheet comes from a trusted source. If you cannot verify the source of the style sheet, or if the style sheet does not come from a trusted source, pass in null for the XSLT settings argument.

External Resources

The XSLT language has features such as xsl:import, xsl:include, or the document() function, where the processor needs to resolve URI references. The XmlResolver class is used to resolve external resources. External resources may need to be resolved in the following two cases:

The Load and Transform methods each include overloads that accept an XmlResolver as one of its arguments. If an XmlResolver is not specified, a default XmlUrlResolver with no credentials is used.

Guidelines

Enable the document() function only when the style sheet comes from a trusted source.

The following list describes when you may want to specify an XmlResolver object:

  • If the XSLT process needs to access a network resource that requires authentication, you can use an XmlResolver with the necessary credentials.

  • If you want to restrict the resources that the XSLT process can access, you can use an XmlSecureResolver with the correct permission set. Use the XmlSecureResolver class if you need to open a resource that you do not control, or that is untrusted.

  • If you want to customize behavior, you can implement your own XmlResolver class and use it to resolve resources.

  • If you want to ensure that no external resources are accessed, you can specify null for the XmlResolver argument.

See also