System.Xml.Xsl.XslTransform supports the XSLT 1.0 syntax. The XSLT style sheet must use the namespace http://www.w3.org/1999/XSL/Transform.

Additional arguments can also be added to the style sheet using the System.Xml.Xsl.XsltArgumentList class. This class contains input parameters for the style sheet and extension objects which can be called from the style sheet.

To transform XML data:

Security Considerations

When creating an application that uses the System.Xml.Xsl.XslTransform class, you should be aware of the following items and their implications:

• Extension objects are enabled by default. If an System.Xml.Xsl.XsltArgumentList object containing extension objects is passed to the erload:System.Xml.Xsl.XslTransform.Transform method, they are utilized.

• XSLT style sheets can include references to other files and embedded script blocks. A malicious user can exploit this by supplying you with data or style sheets that when executed will cause your system to process until the computer runs low on resources.

• XSLT applications that run in a mixed trust environment can result in style sheet spoofing. For example, a malicious user can load an object with a harmful style sheet and hand it off to another user who subsequently calls the erload:System.Xml.Xsl.XslTransform.Transform method and executes the transformation.

These security issues can be mitigated by not accepting System.Xml.Xsl.XslTransform objects, XSLT style sheets, or XML source data from untrusted sources.

Scripting Support

This class supports embedded scripting using the msxsl:script element.

In version 1.1 of the .NET Framework, the evidence of the style sheet determines what permissions are given to embedded scripts.

• If the style sheet was loaded from a Uniform Resource Identifier (URI), the URI is used to create the evidence. This evidence includes the URI along with its site and zone.

• If the style sheet was loaded using another source, you can provide evidence by passing a System.Security.Policy.Evidence object to the erload:System.Xml.Xsl.XslTransform.Load method. Otherwise, the script assembly has full trust.

Semi-trusted callers: UnmanagedCode permission is required to compile the embedded script. ControlEvidence permission is required to provide System.Security.Policy.Evidence to the erload:System.Xml.Xsl.XslTransform.Load method. A System.Security.SecurityException is thrown if the caller does not have the necessary permissions. See System.Security.Permissions.SecurityPermission and System.Security.Permissions.SecurityPermissionFlag for more information.

The msxsl:script element has the following requirements:

• The msxsl:script element belongs to the urn:schemas-microsoft-com:xslt namespace. The style sheet must include the namespace declaration xmlns:msxsl=urn:schemas-microsoft-com:xslt.

• The msxsl:script element can include a language attribute that specifies the scripting language to use. The value of the language attribute must be one of the following: C#, CSharp, VB, VisualBasic, JScript, or JavaScript. Because the language name is not case-sensitive, JavaScript and javascript are both valid. If a language attribute is not specified, it defaults to JScript.

• The msxsl:script element must include an implements-prefix attribute that contains the prefix representing the namespace associated with the script block. This namespace must be defined within the style sheet. A style sheet can include multiple script blocks which are grouped by namespace. You cannot have script blocks with multiple languages within the same namespace. Script blocks can call a function defined in another script block, provided the script blocks reside within the same namespace. The contents of a script block are parsed according to the rules and syntax of the scripting language (supplied by the language attribute). For example, if you had a C# script block, comments would be prefixed by the // characters. The comments must be valid XML content.

Note It is recommended that you wrap script blocks in a CDATA section.

 <msxsl:script implements-prefix='xy' language='C#'>
   <![CDATA[
   // Add code here.
   ]]>
 </msxsl:script>

Functions can be declared within the msxsl:script element. The following table shows the namespaces that are supported by default.

The supplied arguments and return values defined by the script functions must be one of the World Wide Web Consortium (W3C) types listed below. The following table details the mapping between the W3C types, either XPath or XSLT, and the corresponding .NET Framework classes.

If the script function utilizes one of the following numeric types: Int16, UInt16, Int32, UInt32, Int64, UInt64, Single, or Decimal, these types are coerced to Double, which maps to the W3C XPath type number.

An exception is thrown when a function is called that cannot convert the argument result to one of the required types.

System.Xml.Xsl.XslTransform has the ability to utilize common language runtime (CLR) code as an extension mechanism. This is accomplished by passing an instance of a class to the System.Xml.Xsl.XslTransform class and calling its public methods within an XSLT style sheet. Methods that are defined with the params keyword, which allows an unspecified number of parameters to be passed, do not work correctly in this scenario. See params (C# Programmers Reference) for more details.

For more information see XSLT Transformations with the XslTransform Class.