More security changes made in XSLT in .NET 2.0 Beta2. When working with XslCompiledTransform class:
document() function is disabled by default. To enable it, one has to provide XsltSettings enum value with EnableDocumentFunction field set to the XslCompiledTransform.Load() method:
XslCompiledTransform xslt = new XslCompiledTransform();
XsltSettings settings = new XsltSettings();
settings.EnableDocumentFunction = true;
xslt.Load("style.xslt", settings, new XmlUrlResolver());
or
XslCompiledTransform xslt = new XslCompiledTransform();
XsltSettings settings = new XsltSettings(true, false);
xslt.Load("style.xslt", settings, new XmlUrlResolver());
(first argument in the XsltSettings constructor controls
document() function enabling).
Or even (for full trusted stylesheets):
XslCompiledTransform xslt = new XslCompiledTransform();
xslt.Load("style.xslt", XsltSettings.TrustedXslt, new XmlUrlResolver());
Note, that then one must provide an instance of XmlResolver class to the XslCompiledTransform.Load() method. It` used to resolve stylesheet URI and
xsl:include/xsl:import statements and somehow cannot be null, so there doesn`t seem to be any way to disable
xsl:include/xsl:import, despite the documentation claims
xsl:include/xsl:import are enabled
by default. Weird.
And even if at compile time the document() function was enabled, one can supress it provideing null as a XmlResolver to the XslCompiledTransform.Transform() method. And btw, there is only one Transform() overload, which accepts XmlResolver, which is also weird, because it requires XmlReader and what if I`ve got IXPathNavigable as a source XML
Script blocks are disabled by default too. Use the same XsltSettings enum to enable it.
Contents
ReBlogger Contents
Email TopXML