CA5374: Do not use XslTransform

Property Value
Rule ID CA5374
Title Do not use XslTransform
Category Security
Fix is breaking or non-breaking Non-breaking
Enabled by default in .NET 9 No

Cause

Instantiating an System.Xml.Xsl.XslTransform, which doesn't restrict potentially dangerous external references or prevent scripts.

Rule description

XslTransform is vulnerable when operating on untrusted input. An attack could execute arbitrary code.

How to fix violations

Replace XslTransform with System.Xml.Xsl.XslCompiledTransform. For more guidance, see Migrating from the XslTransform class.

When to suppress warnings

The XslTransform object, XSLT style sheets, and XML source data are all from trusted sources.

Suppress a warning

If you just want to suppress a single violation, add preprocessor directives to your source file to disable and then re-enable the rule.

#pragma warning disable CA5374
// The code that's violating the rule is on this line.
#pragma warning restore CA5374

To disable the rule for a file, folder, or project, set its severity to none in the configuration file.

[*.{cs,vb}]
dotnet_diagnostic.CA5374.severity = none

For more information, see How to suppress code analysis warnings.

Pseudo-code examples

Violation

At present, the following pseudo-code sample illustrates the pattern detected by this rule.

using System;
using System.Xml;
using System.Xml.XPath;
using System.Xml.Xsl;

namespace TestForXslTransform
{
    class Program
    {
        static void Main(string[] args)
        {
            // Create a new XslTransform object.
            XslTransform xslt = new XslTransform();

            // Load the stylesheet.
            xslt.Load("https://server/favorite.xsl");

            // Create a new XPathDocument and load the XML data to be transformed.
            XPathDocument mydata = new XPathDocument("inputdata.xml");

            // Create an XmlTextWriter which outputs to the console.
            XmlWriter writer = new XmlTextWriter(Console.Out);

            // Transform the data and send the output to the console.
            xslt.Transform(mydata, null, writer, null);
        }
    }
}

Solution

using System.Xml;
using System.Xml.Xsl;

namespace TestForXslTransform
{
    class Program
    {
        static void Main(string[] args)
        {
            // Default XsltSettings constructor disables the XSLT document() function
            // and embedded script blocks.
            XsltSettings settings = new XsltSettings();

            // Execute the transform.
            XslCompiledTransform xslt = new XslCompiledTransform();
            xslt.Load("https://server/favorite.xsl", settings, new XmlUrlResolver());
            xslt.Transform("inputdata.xml", "outputdata.html");
        }
    }
}