XSLT supports scripting inside style sheets using the element.
The XSLT document function provides a way to retrieve other XML resources from within the XSLT style sheet beyond the initial data provided by the input stream. If you must use the function will run in the same security context.
For example, if scripts are allowed in the main style sheet, they will be allowed in all the included and imported files.
You should not load untrusted documents via the are allowed and processed by default in MSXML 4.0 and 5.0 for backward compatibility.
It is possible to extend the power of XSLT using Java Script embedded into the XSL file.
Therefore any web application that allows the user to upload their own XSL file will be vulnerable to Cross Site Scripting attacks. NET (since 2.0) don't allow script extensions and document() function in XSLT by default. So the truth is s bit different: any web application that allows the user to upload their own XSL file and explicitly allows executing embedded scripts will be vulnerable to Cross Site Scripting attacks.
Well, that's not exactly true, at least on Microsoft platform. While we at this, here is some refresher for this important to know topic: MSXML 6.0 XS: T Security: Untrusted style sheets are those that come from an untrustworthy domain.There is no way to eliminate denial of service (Do S) attacks when processing untrusted style sheets or untrusted documents without removing necessary functionality.If denial of service is a concern, do not accept untrusted style sheets or untrusted documents for transformation.It is not safe to compile and execute an untrusted style sheet within a trusted page (such as a page from your local hard drive).The style sheet may contain the statements, which are capable of loading trusted files and sending them back to the untrusted domain.The DOM supports XSLT transformations via calls to the transform Node method and transform Node To Object method.