Security changes in .NET 2.0's XSLT

| 3 Comments | No TrackBacks

More security changes made in XSLT in .NET 2.0 Beta2. When working with XslCompiledTransform class:

document() function is disabled by default. To enable it, one has to provide XsltSettings enum value with EnableDocumentFunction field set to the XslCompiledTransform.Load() method:

XslCompiledTransform xslt = new XslCompiledTransform();
XsltSettings settings = new XsltSettings();
settings.EnableDocumentFunction = true;            
xslt.Load("style.xslt", settings, new XmlUrlResolver());
XslCompiledTransform xslt = new XslCompiledTransform();
XsltSettings settings = new XsltSettings(true, false);            
xslt.Load("style.xslt", settings, new XmlUrlResolver());
(first argument in the XsltSettings constructor controls document() function enabling).
Or even (for full trusted stylesheets):
XslCompiledTransform xslt = new XslCompiledTransform();                        
xslt.Load("style.xslt", XsltSettings.TrustedXslt, new XmlUrlResolver());
Note, that then one must provide an instance of XmlResolver class to the XslCompiledTransform.Load() method. It' used to resolve stylesheet URI and xsl:include/xsl:import statements and somehow cannot be null, so there doesn't seem to be any way to disable xsl:include/xsl:import, despite the documentation claims xsl:include/xsl:import are enabled by default. Weird.

And even if at compile time the document() function was enabled, one can supress it provideing null as a XmlResolver to the XslCompiledTransform.Transform() method. And btw, there is only one Transform() overload, which accepts XmlResolver, which is also weird, because it requires XmlReader and what if I've got IXPathNavigable as a source XML?

Script blocks are disabled by default too. Use the same XsltSettings enum to enable it.

Related Blog Posts

No TrackBacks

TrackBack URL:


Thanks Oleg,

Using "new XmlUrlResolver()" in load-method was the solution to my problem with a Xslt importing another local Xslt file.

You are right, Andy. Thanks.

All URIs are passed to the resolver, including the original one you passed to Load:

xslt.Load("style.xslt", settings, null);

In this case, "style.xslt" cannot be resolved, since there is no resolver to do it.

If you want to compile a stylesheet, but disallow xsl:include/xsl:import, you should load the stylesheet into a reader:

xslt.Load(XmlReader.Create("style.xslt"), settings, null);

Leave a comment