Security of Text Templates
This article applies to Visual Studio 2015. If you're looking for the latest Visual Studio documentation, use the version selector at the top left. We recommend upgrading to Visual Studio 2019. Download it here
Text templates have the following security concerns:
Text templates are vulnerable to arbitrary code insertions.
If the mechanism that the host uses to find a directive processor is not secure, a malicious directive processor could be run.
When you write a template, you can put any code within the <# #> tags. This allows arbitrary code to be executed from within a text template.
Be sure you obtain templates from trusted sources. Make sure to warn the end-users of your application not to execute templates that do not come from trusted sources.
Malicious Directive Processor
The text template engine interacts with a transformation host and one or more directive processors to transform the template text to an output file. For more information, see The Text Template Transformation Process.
If the mechanism that the host uses to find a directive processor is not secure, it runs the risk of running a malicious directive processor. The malicious directive processor could provide code that is run in
FullTrust mode when the template is run. If you create a custom text template transformation host, you must use a secure mechanism, such as the registry, for the engine to locate directive processors.