See Also: XslCompiledTransform Members
The System.Xml.Xsl.XslCompiledTransform class is an XSLT processor that supports the XSLT 1.0 syntax. It is a new implementation and includes performance gains when compared to the obsolete System.Xml.Xsl.XslTransform class. The structure of the System.Xml.Xsl.XslCompiledTransform class is very similar to the System.Xml.Xsl.XslTransform class. The erload:System.Xml.Xsl.XslCompiledTransform.Load method loads and compiles the style sheet, while the erload:System.Xml.Xsl.XslCompiledTransform.Transform method executes the XSLT transform.
Support for the XSLT document() function and embedded script blocks are disabled by default. These features can be enabled by creating an System.Xml.Xsl.XsltSettings object and passing it to the erload:System.Xml.Xsl.XslCompiledTransform.Load method.
For more information, see Using the XsltCompiledTransform Class and Migrating From the XslTransform Class.
When creating an application that uses the System.Xml.Xsl.XslCompiledTransform class, you should be aware of the following items and their implications:
XSLT scripting is disabled by default. XSLT scripting should be enabled only if you require script support and you are working in a fully trusted environment.
The XSLT document() function is disabled by default. If you enable the document() function, restrict the resources that can be accessed by passing an System.Xml.XmlSecureResolver object to the erload:System.Xml.Xsl.XslCompiledTransform.Transform method.
Extension objects are enabled by default. If an System.Xml.Xsl.XsltArgumentList object containing extension objects is passed to the erload:System.Xml.Xsl.XslCompiledTransform.Transform method, they are utilized.
XSLT style sheets can include references to other files and embedded script blocks. A malicious user can exploit this by supplying you with data or style sheets that when executed can cause your system to process until the computer runs low on resources.
XSLT applications that run in a mixed trust environment can result in style sheet spoofing. For example, a malicious user can load an object with a harmful style sheet and hand it off to another user who subsequently calls the erload:System.Xml.Xsl.XslCompiledTransform.Transform method and executes the transformation.
These security issues can be mitigated by not enabling scripting or the document() function unless the style sheet comes from a trusted source, and by not accepting System.Xml.Xsl.XslCompiledTransform objects, XSLT style sheets, or XML source data from an untrusted source.