Views:

Applies to Product - Power Pages


What’s happening?
The deep scan returned an issue for XSLT Injection. Injection using XSL transformations may be possible, and may allow an attacker to read system information, read and write files, or execute arbitrary code.


Reason:
This is not expected as strong schema validation is enforced. This is known and has been identified as a false positive.

Resolution:

  1. Review the alerts shared in the scan report for the Power Pages site.
  2. Implement the recommended settings for Content Security Policy (CSP) as outlined in the following documentation:
  3. Manage Content Security Policy
  4. Content Security Policy Overview
  5. After implementing the changes, rerun the scan.
  6. If the scan results remain the same, you may ignore these failure messages as they are confirmed to be false positives.
  7. For the XSLT Injection error, it is categorized as a medium-level warning and is also marked as a false positive.