Disable SQL Server access from XSLT

Version:

Applies to	All core roles
Sitecore Installation Framework	SQL Server access from XSLT is not disabled by default.
Azure Toolkit	SQL Server access from XSLT is not disabled by default.

Sitecore includes an xslExtension helper for use with SQL Server.

We strongly recommended that you disable the xslExtension helper if:

You do not need it.
You are not using Sitecore XSLT renderings.

To disable the xslExtension helper:

In the App_Config/Include folder, create a patch file. Give it a file name that ends with the extension .config.
Insert the following code in the patch file:

<configuration xmlns:patch="http://www.sitecore.net/xmlconfig/">
    <sitecore>
    <!-- disable XSLT security issue see https://doc.sitecore.net/sitecore_experience_platform/setting_up_and_maintaining/security_hardening/configuring/disable_sql_server_access_from_xslt -->
        <xslExtensions>
            <extension type="Sitecore.Xml.Xsl.SqlHelper, Sitecore.Kernel">
                <patch:delete/>
            </extension>
        </xslExtensions>
    </sitecore>
</configuration>

If you have suggestions for improving this article, let us know!