1

Veracode reports that the below code is susceptible to CWE-611: Improper Restriction of XML External Entity Reference.

XslCompiledTransform transform = new XslCompiledTransform();
transform.Load(xslwithospath);
StringWriter results = new StringWriter();
using (XmlReader reader = XmlReader.Create(new StringReader(xml)))

Unfortunately I can't set the XMLResolver to null because the XSLT uses an include

<xsl:include href="localfileNameWithoutPath"/>

Is the only resolution to rewrite the XSLT so that it does not have XSL includes, and then set the resolver to null?

Can I use an Xml Secure Resolver, and if so how?

Hoppe
  • 143
  • 5

0 Answers0