If denial of service is a concern, do not accept untrusted style sheets or untrusted documents for transformation.
It is not safe to compile and execute an untrusted style sheet within a trusted page (such as a page from your local hard drive).
The style sheet may contain the statements, which are capable of loading trusted files and sending them back to the untrusted domain.
It is possible to extend the power of XSLT using Java Script embedded into the XSL file.Therefore any web application that allows the user to upload their own XSL file will be vulnerable to Cross Site Scripting attacks. NET (since 2.0) don't allow script extensions and document() function in XSLT by default. So the truth is s bit different: any web application that allows the user to upload their own XSL file and explicitly allows executing embedded scripts will be vulnerable to Cross Site Scripting attacks.Well, that's not exactly true, at least on Microsoft platform. While we at this, here is some refresher for this important to know topic: MSXML 6.0 XS: T Security: Untrusted style sheets are those that come from an untrustworthy domain.There is no way to eliminate denial of service (Do S) attacks when processing untrusted style sheets or untrusted documents without removing necessary functionality.The XSLT document function provides a way to retrieve other XML resources from within the XSLT style sheet beyond the initial data provided by the input stream. If you must use the function will run in the same security context.
For example, if scripts are allowed in the main style sheet, they will be allowed in all the included and imported files.
You should not load untrusted documents via the are allowed and processed by default in MSXML 4.0 and 5.0 for backward compatibility.
XSLT supports scripting inside style sheets using the element.
This allows custom functions to be used in an XSLT transformation. If you require scripting in your XSLT transformations, you can enable the feature by setting the Allow Xslt Script Property to Internet Explorer uses MSXML 3.0 by default, so when using the MIME viewer to transform scripts, Internet Explorer's security settings are used.
However, if you use MSXML 6.0 via script in Internet Explorer to execute transformations, when the Allow Xslt Script property is set to , Internet Explorer's security settings are used for executing.
The DOM supports XSLT transformations via calls to the transform Node and transform Node To Object methods.