Disable SQL Server access from XSLT

Version: 9.0

Applies to

All core roles

Sitecore Installation Framework

SQL Server access from XSLT is not disabled by default.

Azure Toolkit

SQL Server access from XSLT is not disabled by default.

Sitecore includes an xslExtension helper for use with SQL Server.

We strongly recommended that you disable the xslExtension helper if:

  • You do not need it.

  • You are not using Sitecore XSLT renderings.

To disable the xslExtension helper:

  1. In the App_Config/Include folder, create a patch file. Give it a file name that ends with the extension .config.

  2. Insert the following code in the patch file:

RequestResponse
<configuration xmlns:patch="http://www.sitecore.net/xmlconfig/">
    <sitecore>
    <!-- disable XSLT security issue see https://doc.sitecore.net/sitecore_experience_platform/setting_up_and_maintaining/security_hardening/configuring/disable_sql_server_access_from_xslt -->
        <xslExtensions>
            <extension type="Sitecore.Xml.Xsl.SqlHelper, Sitecore.Kernel">
                <patch:delete/>
            </extension>
        </xslExtensions>
    </sitecore>
</configuration>

Do you have some feedback for us?

If you have suggestions for improving this article,