Signs on the Sand: Security changes in .NET 2.0's XSLT

Random photo

Domains for sale

UltraBuilder.com
MobileOcean.com
SmartScripting.com
XPath.info
XSL.info
exodus.mobi
hydra.mobi
OpenTalk.mobi
XLinq.net

May 8, 2005

Security changes in .NET 2.0's XSLT

More security changes made in XSLT in .NET 2.0 Beta2. When working with XslCompiledTransform class:

document() function is disabled by default. To enable it, one has to provide XsltSettings enum value with EnableDocumentFunction field set to the XslCompiledTransform.Load() method:

XslCompiledTransform xslt = new XslCompiledTransform();
XsltSettings settings = new XsltSettings();
settings.EnableDocumentFunction = true;            
xslt.Load("style.xslt", settings, new XmlUrlResolver());

XslCompiledTransform xslt = new XslCompiledTransform();
XsltSettings settings = new XsltSettings(true, false);            
xslt.Load("style.xslt", settings, new XmlUrlResolver());

(first argument in the XsltSettings constructor controls document() function enabling).
Or even (for full trusted stylesheets):

XslCompiledTransform xslt = new XslCompiledTransform();                        
xslt.Load("style.xslt", XsltSettings.TrustedXslt, new XmlUrlResolver());

Note, that then one must provide an instance of XmlResolver class to the XslCompiledTransform.Load() method. It' used to resolve stylesheet URI and xsl:include/xsl:import statements and somehow cannot be null, so there doesn't seem to be any way to disable xsl:include/xsl:import, despite the documentation claims xsl:include/xsl:import are enabled by default. Weird.

And even if at compile time the document() function was enabled, one can supress it provideing null as a XmlResolver to the XslCompiledTransform.Transform() method. And btw, there is only one Transform() overload, which accepts XmlResolver, which is also weird, because it requires XmlReader and what if I've got IXPathNavigable as a source XML?

Script blocks are disabled by default too. Use the same XsltSettings enum to enable it.

del.ico.us |

digg it |

May 8, 2005 1:02 PM | #System.Xml v2.0

Comments

You are right, Andy. Thanks.

Posted by: Oleg Tkachenko

at May 11, 2005 2:54 PM

All URIs are passed to the resolver, including the original one you passed to Load:

xslt.Load("style.xslt", settings, null);

In this case, "style.xslt" cannot be resolved, since there is no resolver to do it.

If you want to compile a stylesheet, but disallow xsl:include/xsl:import, you should load the stylesheet into a reader:

xslt.Load(XmlReader.Create("style.xslt"), settings, null);

Posted by: Andy Kimball at May 10, 2005 11:20 PM