Preventing XSLT Injection

After discussing how to identify and exploit XSLT injection vulnerabilities in the previous sections, we will conclude this module by discussing how to prevent them.

Prevention

Similar to all injection vulnerabilities discussed in this module, XSLT injection can be prevented by ensuring that user input is not inserted into XSL data before it is processed by the XSLT processor. However, if the output should reflect values provided by the user, user-provided data must be added to the XSL document before processing. In this case, it is essential to implement proper sanitization and input validation to avoid XSLT injection vulnerabilities. This may prevent attackers from injecting additional XSLT elements, but the implementation may depend on the output format.

For instance, if the XSLT processor generates an HTML response, HTML-encoding user input before inserting it into the XSL data can prevent XSLT injection vulnerabilities. As HTML-encoding converts all instances of < to < and > to >, an attacker should not be able to inject additional XSLT elements, thus preventing an XSLT injection vulnerability.

Additional hardening measures can mitigate the impact of potential XSLT injection vulnerabilities. These include running the XSLT processor as a low-privilege process, preventing the use of external functions by disabling PHP functions within XSLT, and keeping the XSLT library up to date.