1. Hardening

Disable SQL Server access from XSLT

Version:

Sitecore includes an xslExtension helper for use with SQL Server.

We strongly recommended that you disable the xslExtension helper if:

  • You do not need it.

  • You are not using Sitecore XSLT renderings.

To disable the xslExtension helper:

  1. In the app_config/include folder, create a patch file. Give it a file name that ends with the extension .config.

  2. Insert the following code in the patch file:

    <configuration xmlns:patch="http://www.sitecore.net/xmlconfig/">
<sitecore>
<!-- disable XSLT security issue see https://doc.sitecore.net/sitecore_experience_platform/setting_up_and_maintaining/security_hardening/configuring/disable_sql_server_access_from_xslt -->
<xslExtensions>
<extension type="Sitecore.Xml.Xsl.SqlHelper, Sitecore.Kernel">
<patch:delete/>
</extension>
</xslExtensions>
</sitecore>
</configuration>
If you have suggestions for improving this article, let us know!