Protecting from XSLT injection

Question

I use a xsl tranform to convert a xml file to html in dotNet. I transform the node values in the xml to html tag contents and attributes.

I compose the xml by using .Net DOM manipulation, setting the InnerText property of the nodes with the arbitrary and possibly malicious text. Right now, maliciously crafted input strings will make my html unsafe. Unsafe in the sense that some javascript might come from the the user and find its way to a link href attribute in the output html, for example.

The question is simple, what is the sanitizing, if any, that I have to do with my text before assigning it to the InnerText property? I thought that assigning to InnerText instead of InnerXml would do all the needed sanitization of the text, but that seems to not be the case.

Does my transform have to have any special characteristics to make this work safely? Any .net specific caveats that I should be aware?

Thanks!

Answer 1

You should sanitize your XML before transforming it with XSLT. You probably will need something like:

string encoded = HttpUtility.HtmlEncode("<script>alert('hi')</script>");
XmlElement node = xml.CreateElement("code");
node.InnerText = encoded;

Console.WriteLine(encoded);
Console.WriteLine(node.OuterXml);

With this, you'll get

<script>alert('hi')</script>

When you add this text into your node, you'll get

<code>&amp;lt;script&amp;gt;alert('hi')&amp;lt;/script&amp;gt;</code>

Now, if you run your XSLT, this encoded HTML will not cause any problems in your output.

Answer 2

It turns out that the problem came from the xsl itself, wich used disable-output-escaping. Without that the Tranform itself will do all the encoding necessary.

If you must use disable-output-escaping, you have to use the appriate encodeinf function for each element. HtmlEncode for tag contents, HtmlAttributeEncode for attribute values and UrlEncode for html attribute values (e.g href)