All rules
CA5374Security Enabled by default: No
Do not use XslTransform
Do not use XslTransform
Microsoft docsDescription
System.Xml.Xsl.XslTransform is vulnerable when operating on untrusted input. An attack could execute arbitrary code.
Cause
Instantiating an System.Xml.Xsl.XslTransform, which doesn't restrict potentially dangerous external references or prevent scripts.
How to fix violations
Replace System.Xml.Xsl.XslTransform with System.Xml.Xsl.XslCompiledTransform. For more guidance, see Migrating from the XslTransform class.
Example
using System;
using System.Xml;
using System.Xml.XPath;
using System.Xml.Xsl;
namespace TestForXslTransform
{
class Program
{
static void Main(string[] args)
{
// Create a new XslTransform object.
XslTransform xslt = new XslTransform();
// Load the stylesheet.
xslt.Load("https://server/favorite.xsl");
// Create a new XPathDocument and load the XML data to be transformed.
XPathDocument mydata = new XPathDocument("inputdata.xml");
// Create an XmlTextWriter which outputs to the console.
XmlWriter writer = new XmlTextWriter(Console.Out);
// Transform the data and send the output to the console.
xslt.Transform(mydata, null, writer, null);
}
}
}
using System.Xml;
using System.Xml.Xsl;
namespace TestForXslTransform
{
class Program
{
static void Main(string[] args)
{
// Default XsltSettings constructor disables the XSLT document() function
// and embedded script blocks.
XsltSettings settings = new XsltSettings();
// Execute the transform.
XslCompiledTransform xslt = new XslCompiledTransform();
xslt.Load("https://server/favorite.xsl", settings, new XmlUrlResolver());
xslt.Transform("inputdata.xml", "outputdata.html");
}
}
}When to suppress
The System.Xml.Xsl.XslTransform object, XSLT style sheets, and XML source data are all from trusted sources.
Your vote
Group results
0 yes 0 no
ConsensusNone (disabled)
Severity preference (yes voters)
Suggestion0
Warning0
Error0