Disable SQL Server access from XSLT

Last updated Wednesday, November 22, 2017 in Sitecore Experience Platform for Administrator

Sitecore includes an xslExtension helper for use with SQL Server.

We strongly recommended that you disable the xslExtension helper if:

  • You do not need it.
  • You are not using Sitecore XSLT renderings.

To disable the xslExtension helper:

  1. In the app_config/include folder, create a patch file. Give it a file name that ends with the extension .config.
  2. Insert the following code in the patch file:
    <configuration xmlns:patch="http://www.sitecore.net/xmlconfig/">
    <sitecore>
    <!-- disable XSLT security issue see https://doc.sitecore.net/sitecore_experience_platform/setting_up_and_maintaining/security_hardening/configuring/disable_sql_server_access_from_xslt -->
    <xslExtensions>
    <extension type="Sitecore.Xml.Xsl.SqlHelper, Sitecore.Kernel">
    <patch:delete/>
    </extension>
    </xslExtensions>
    </sitecore>
    </configuration>

Send feedback about the documentation to docsite@sitecore.net.