XSLT Security
A version of this page is also available for
4/8/2010
Extensible Stylesheet Language Transformation (XSLT) has the following potential security risks:
- XSLT is designed to run over a public network, such as the Internet. If the security of the XSLT is compromised, it could expose the Windows Mobile device or local network to the public network.
- XSLT supports third party extensions. If these extensions do not use proper security and authentication procedures, they could compromise the security of the Windows Mobile device or local network.
- If XSLT is used with Internet Explorer and proper security and authentication procedures are not used, XSLT could compromise the security of the Windows Mobile device or local network.
Best Practices
For server-side implementations, do not accept XSLT from untrusted sources
For security considerations, XSLT should be treated as code. XSLT files contain instructions that are interpreted by the XML parser. A malicious user can cause an arbitrary XSLT transformation to be performed and this could execute an infinite loop and exhaust system resources. **