Skip to main content

Disable SQL Server access from XSLT

Abstract

How to disable SQL Server access via the xslExtension included in Sitecore.

Applies to

All core roles

Sitecore Installation Framework

SQL Server access from XSLT is not disabled by default.

Azure Toolkit

SQL Server access from XSLT is not disabled by default.

Sitecore includes an xslExtension helper for use with SQL Server.

We strongly recommended that you disable the xslExtension helper if:

  • You do not need it.

  • You are not using Sitecore XSLT renderings.

To disable the xslExtension helper:

  1. In the App_Config/Include folder, create a patch file. Give it a file name that ends with the extension .config.

  2. Insert the following code in the patch file:

<configuration xmlns:patch="http://www.sitecore.net/xmlconfig/">
    <sitecore>
    <!-- disable XSLT security issue see https://doc.sitecore.net/sitecore_experience_platform/setting_up_and_maintaining/security_hardening/configuring/disable_sql_server_access_from_xslt -->
        <xslExtensions>
            <extension type="Sitecore.Xml.Xsl.SqlHelper, Sitecore.Kernel">
                <patch:delete/>
            </extension>
        </xslExtensions>
    </sitecore>
</configuration>