Veracode reports that the below code is susceptible to CWE-611: Improper Restriction of XML External Entity Reference.
XslCompiledTransform transform = new XslCompiledTransform();
transform.Load(xslwithospath);
StringWriter results = new StringWriter();
using (XmlReader reader = XmlReader.Create(new StringReader(xml)))
Unfortunately I can't set the XMLResolver to null because the XSLT uses an include
<xsl:include href="localfileNameWithoutPath"/>
Is the only resolution to rewrite the XSLT so that it does not have XSL includes, and then set the resolver to null?
Can I use an Xml Secure Resolver, and if so how?
