XML Injection via XSLT Settings
Description
By setting `XsltSettings.EnableScript` or `XsltSettings.EnableDocumentFunction` to true, an adversary who is able to influence the loaded XSL document could directly inject code to compromise the system. It is strongly recommended that an alternative approach is used to work with XML data.
Examples
Insecure Code
c#
XsltSettings xslt_settings = new XsltSettings(); xslt_settings.EnableScript = true;Secure Code
c#
XsltSettings xslt_settings = new XsltSettings(); xslt_settings.EnableScript = false; xslt_settings.EnableDocumentFunction = false;Remediation
Set `XsltSettings.EnableScript` and `XsltSettings.EnableDocumentFunction` to false, and modify the XML document prior to running the `XslCompiledTransform.Transform` method instead of using XSL scripts to execute functions.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0455 |
| Category | Injection |
| Severity | HIGH |
| CWE | CWE-91 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | XSLT, XML Injection, Blind XPath injection |
| OWASP | A1:2017-Injection, A03:2021-Injection |