CodeQL documentation

XSLT transformation with user-controlled stylesheet

ID: java/xslt-injection
Kind: path-problem
Security severity: 9.8
Severity: error
Precision: high
   - security
   - external/cwe/cwe-074
Query suites:
   - java-code-scanning.qls
   - java-security-extended.qls
   - java-security-and-quality.qls

Click to see the query in the CodeQL repository

XSLT (Extensible Stylesheet Language Transformations) is a language for transforming XML documents into other XML documents or other formats. Processing unvalidated XSLT stylesheets can allow attackers to read arbitrary files from the filesystem or to execute arbitrary code.


The general recommendation is to not process untrusted XSLT stylesheets. If user-provided stylesheets must be processed, enable the secure processing mode.


In the following examples, the code accepts an XSLT stylesheet from the user and processes it.

In the first example, the user-provided XSLT stylesheet is parsed and processed.

In the second example, secure processing mode is enabled.

import javax.xml.XMLConstants;
import javax.xml.transform.TransformerFactory;

public void transform(Socket socket, String inputXml) throws Exception {
  StreamSource xslt = new StreamSource(socket.getInputStream());
  StreamSource xml = new StreamSource(new StringReader(inputXml));
  StringWriter result = new StringWriter();
  TransformerFactory factory = TransformerFactory.newInstance();

  // BAD: User provided XSLT stylesheet is processed
  factory.newTransformer(xslt).transform(xml, new StreamResult(result));

  // GOOD: The secure processing mode is enabled
  factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
  factory.newTransformer(xslt).transform(xml, new StreamResult(result));


  • © GitHub, Inc.
  • Terms
  • Privacy