Reputation: 2283
Schema to validate a .xsl template in C#
We have the following code in one project as a part of generating a simple Excel file from a template:
StreamReader reader = new StreamReader(DeploymentFolder + "bin\\Excel.xsl");
XmlTextReader xRdr = new XmlTextReader(reader);
xt.Load(xRdr,new XsltSettings(false,false),null);
It works just fine, however the code is not secure, since it is susceptible to Injection attacks. Ideally it should be validated against a schema. So where would I find a schema that validates an XSL file? Is there a built in schema in .NET that does that?
Upvotes: 0
Views: 860
Answers (1)
Reputation: 163595
There are official W3C schemas for XSLT 2.0 and XSLT 3.0, linked from the XSLT 2.0 and XSLT 3.0 specifications. I think there's also an unofficial one for XSLT 1.0 somewhere.
But they aren't going to help you. The way you do an injection attack in XSLT is typically to invoke an extension function written in another language such as C# (for example, a call out to exec()), and you can't distinguish extension functions from built-in functions at the level of a schema. Some products such as Saxon have a switch to disable use of extension functions, and with that set you are pretty safe; you might also need a URIResolver/XMLResolver to police use of the document() function. I don't know whether Microsoft's System.Xml.Xsl processor has such a switch, but I would be surprised if not.
Upvotes: 1
Related Questions
- xslt validation
- C# .Net Xml Schematron Validation
- How can I validate an XSLT template's logic against an XML schema?
- Implement Xml validation using XSD schema
- How to validate XSL file?
- c# XML Schema validation
- How to validate an XML file against a schema using Visual Studio 2005
- Using .NET to validate XML against a schema
- XML schema validation via C#
- XML XSL XSD Validation: