Skip to main content

Remediation Steps

Follow the steps below to remediate this finding on Generic / Developer guidance.

  1. XSLT injection occurs when user-supplied input is incorporated into XSL stylesheets or XML data that is processed by an XSLT processor.

  2. Remediation:

    • Never allow users to supply or modify XSLT stylesheets.
    • Validate and sanitise all XML input before processing with XSLT.
    • Use an XML parser configured to reject external entities (XXE protection):

  3. In PHP (DOMDocument):

    libxml_disable_entity_loader(true);
$dom = new DOMDocument();
$dom->loadXML($xml, LIBXML_NONET | LIBXML_NOENT);
• Use a restrictive XSLT processor configuration that disables scripting extensions (e.g., PHP, JavaScript in XSL).
• Apply input validation using an allowlist of permitted XML elements and attributes.
Back to top