Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Injection in XSLT parser : switch to secure mode #209
ESIGate supports esi:include tag along with the stylesheet attribute. This attribute can be a remote XSLT. This feature can allow an attacker to execute code on the remote server.
We have to switch the XSLT parser to secure mode in order to prevent execution of malicious commands inserted in stylesheets.
This bug was found by Benoit Côté-Jodoin and reported by Philippe Arteau from GoSecure