XSLT Injection

Injection using XSL transformations may be possible, and may allow an attacker to read system information, read and write files, or execute arbitrary code.

XSLT injection occurs when user-controlled input is embedded into XSLT stylesheets without proper sanitization, allowing attackers to inject malicious XSLT code that executes during transformation. Attackers exploit this by injecting XSLT functions that read local files, execute system commands, perform server-side request forgery, or access environment variables. Because XSLT processors often run with elevated privileges and support powerful extension functions, successful injection can lead to complete system compromise, data exfiltration, or lateral movement within the infrastructure.

Never incorporate user input directly into XSLT stylesheets or transformation parameters. Use parameterized transformations where user data is passed as strictly typed parameters rather than concatenated into stylesheet code. Disable XSLT extension functions and external document access unless absolutely required. If dynamic XSLT is unavoidable, implement strict input validation using allowlists and consider using a sandboxed XSLT processor with limited capabilities.