Disable SQL Server access from XSLT

Abstract

How to disable SQL Server access via the xslExtension included in Sitecore.

Applies to	All core roles
Sitecore Installation Framework	SQL Server access from XSLT is not disabled by default.
Azure Toolkit	SQL Server access from XSLT is not disabled by default.

Sitecore includes an xslExtension helper for use with SQL Server.

We strongly recommended that you disable the xslExtension helper if:

You do not need it.
You are not using Sitecore XSLT renderings.

To disable the xslExtension helper:

In the App_Config/Include folder, create a patch file. Give it a file name that ends with the extension .config.
Insert the following code in the patch file:

<configuration xmlns:patch="http://www.sitecore.net/xmlconfig/">
    <sitecore>
    <!-- disable XSLT security issue see https://doc.sitecore.net/sitecore_experience_platform/setting_up_and_maintaining/security_hardening/configuring/disable_sql_server_access_from_xslt -->
        <xslExtensions>
            <extension type="Sitecore.Xml.Xsl.SqlHelper, Sitecore.Kernel">
                <patch:delete/>
            </extension>
        </xslExtensions>
    </sitecore>
</configuration>