Share via


XSLT Security (Windows Embedded CE 6.0)

1/6/2010

Extensible Stylesheet Language Transformation (XSLT) has the following potential security risks:

  • XSLT is designed to run over a public network, such as the Internet. If the security of the XSLT is compromised, it could expose the Windows Embedded CE-based device or local network to the public network.
  • XSLT supports third party extensions. If these extensions do not use proper security and authentication procedures, they could compromise the security of the Windows Embedded CE-based device or local network.
  • If XSLT is used with Internet Explorer and proper security and authentication procedures are not used, XSLT could compromise the security of the Windows Embedded CE-based device or local network.

Best Practices

Ee503542.collapse(en-US,WinEmbedded.60).gifFor server-side implementations, do not accept XSLT from untrusted sources

For security considerations, XSLT should be treated as code. XSLT files contain instructions that are interpreted by the XML parser. A malicious user can cause an arbitrary XSLT transformation to be performed and this could execute an infinite loop and exhaust system resources.**

See Also

Concepts

XML OS Design Development

Other Resources

XML Stylesheet Language Transformations (XSLT)
XML Core Services and Document Object Model