XSLT Security
This topic describes security issues associated with XSLT in MSXML. In addition, the topic provides some guidance for mitigating security exposure.
Security Issues
The following sections describe important XSLT security issues. They are not listed in any significant order. You should familiarize yourself with all the issues discussed, and address them in your applications.
Denial of Service Attacks
Untrusted style sheets are those that come from an untrustworthy domain. There is no way to eliminate denial of service (DoS) attacks when processing untrusted style sheets or untrusted documents without removing necessary functionality. If denial of service is a concern, do not accept untrusted style sheets or untrusted documents for transformation.
Cross-Site Attacks
It is not safe to compile and execute an untrusted style sheet within a trusted page (such as a page from your local hard drive). The style sheet may contain the document()
function or xsl:include
/ xsl:import
statements, which are capable of loading trusted files and sending them back to the untrusted domain.
XSLT Scripts Are Prohibited by Default
The DOM supports XSLT transformations via calls to the transformNode method and transformNodeToObject method. XSLT supports scripting inside style sheets using the <msxsl:script> element. This allows custom functions to be used in an XSLT transformation. If you require scripting in your XSLT transformations, you can enable the feature by setting the AllowXsltScript Property to true
. Note that the default value for AllowXsltScript Property is true for MSXML 3.0 and false for MSXML 6.0.
To allow XSLT scripting (JScript):
doc.setProperty("AllowXsltScript", true);
To disallow XSLT scripting:
doc.setProperty("AllowXsltScript", false);
If you use MSXML 6.0 via script in Internet Explorer to execute transformations, when the AllowXsltScript property is set to false
scripting is disabled, no matter what the Internet Explorer settings are.
Internet Explorer 8.0 and earlier versions uses MSXML 3.0 by default, so when using the MIME viewer to transform scripts, the Internet Explorer security settings are used.
The following example demonstrates how to set the Internet Explorer security settings to disallow running scripts.
Note
To run the following example, you must have a network share where you can copy your files.
Create an XML document and copy the content of the following XML code into this document. Copy the XML document that you created to some directory on the network share.
<?xml version="1.0"?> <?xml-stylesheet type="text/xsl" href="script.xsl" ?> <customers> <customer> <name>John Smith</name> <address>123 Elm St.</address> <phone>(123) 456-7890</phone> </customer> <customer> <name>Mary Jones</name> <address>456 Oak Ave.</address> <phone>(156) 789-0123</phone> </customer> </customers>
Create an XSL document and copy the content of the following XSL code into this document. Copy the XSL document that you created to some directory on the network share.
<?xml version='1.0'?> <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:user="http://mycompany.com/mynamespace"> <msxsl:script language="JScript" implements-prefix="user"> function xml(nodelist) { return nodelist.nextNode().xml; } </msxsl:script> <xsl:template match="/"> <xsl:value-of select="user:xml(.)"/> </xsl:template> </xsl:stylesheet>
Open Internet Explorer. Make sure you have only one instance of Internet Explorer running. From the Tools menu, select Internet Options. From the Internet Options dialog box, select the Security tab and click Local intranet. Click the Custom Level button; the Security Settings dialog box will appear. Scroll down to the Scripting section, and under Active scripting select Disable. This will disable running scripts for files located on the network.
In the Internet Explorer Address bar, type the path to the XML file that you created and press Enter. You should see the following error message: "Security settings do not allow the execution of script code within this stylesheet."
The XSLT document Function Is Disallowed by Default
The DOM supports XSLT transformations via calls to the transformNode and transformNodeToObject methods. The XSLT document function provides a way to retrieve other XML resources from within the XSLT style sheet beyond the initial data provided by the input stream. In MSXML 6.0 this feature is disabled by default. If you must use the document
function in your XSLT transformations, you can enable the feature by setting the AllowDocumentFunction property to true
.
The following is the JScript code to allow the document
function:
doc.setProperty("AllowDocumentFunction", true);
To disallow the document
function:
doc.setProperty("AllowDocumentFunction", false);
If you enable the document
function, you should be aware that the document
function runs with the same security settings as the style sheet. If your style sheet is running in a trusted security context, then all files loaded using the document
function will run in the same security context. For example, if scripts are allowed in the main style sheet, they will be allowed in all the included and imported files. You should not load untrusted documents via the document
function.
Loading External Files Is Prohibited by Default
In MSXML 6.0 external files loaded via xsl:include
or xsl:import
are not processed by default – they must be explicitly enabled by the developer.
If you are using MSXML 6.0 and all of your XSLT style sheets and XML documents come from a secure site, you can allow external schemas by setting the resolveExternals property to true
.
To allow external files:
doc.resolveExternals = true;
To disallow external files:
doc.resolveExternals = false;
Error Messages May Reveal Data
Certain types of threats require that you program your application in certain ways. For example, the description of an error may reveal data such as the data being transformed. Errors may also reveal file names. Error messages should not be exposed to callers that are not trusted. You should catch all errors and report errors with your own custom error messages.