Share via


XSLT Security

Extensible Stylesheet Language Transformation (XSLT) has the following potential security risks:

  • XSLT is designed to run over a public network, such as the Internet. If the security of the XSLT is compromised, it could expose the device or local network to the public network.
  • XSLT supports third party extensions. If these extensions do not use proper security and authentication procedures, they could compromise the security of a device or local network.
  • If XSLT is used with Internet Explorer and proper security and authentication procedures are not used, XSLT could compromise the security of a device or local network.

Best Practices

For server-side implementations, do not accept XSLT from untrusted sources

For security considerations, XSLT should be treated as code. XSLT files contain instructions that are interpreted by the XML parser. A malicious user can cause an arbitrary XSLT transformation to be performed and this could execute an infinite loop and exhaust system resources.

Default Registry Settings

There are no registry settings affecting XSLT Security. For XSLT registry information, see XSLT Registry Settings.

 Last updated on Saturday, April 10, 2004

© 1992-2003 Microsoft Corporation. All rights reserved.