Disable SQL Server access from XSLT
Abstract
How to disable SQL Server access via the xslExtension included in Sitecore.
Applies to | All core roles |
Sitecore Installation Framework | SQL Server access from XSLT is not disabled by default. |
Azure Toolkit | SQL Server access from XSLT is not disabled by default. |
Sitecore includes an xslExtension helper for use with SQL Server.
We strongly recommended that you disable the xslExtension helper if:
You do not need it.
You are not using Sitecore XSLT renderings.
To disable the xslExtension helper:
In the
App_Config/Include
folder, create a patch file. Give it a file name that ends with the extension.config
.Insert the following code in the patch file:
<configuration xmlns:patch="http://www.sitecore.net/xmlconfig/"> <sitecore> <!-- disable XSLT security issue see https://doc.sitecore.net/sitecore_experience_platform/setting_up_and_maintaining/security_hardening/configuring/disable_sql_server_access_from_xslt --> <xslExtensions> <extension type="Sitecore.Xml.Xsl.SqlHelper, Sitecore.Kernel"> <patch:delete/> </extension> </xslExtensions> </sitecore> </configuration>