{
	"id": "67b14559-ce5c-49e3-8f26-2c0c18001462",
	"created_at": "2026-04-06T00:11:45.243078Z",
	"updated_at": "2026-04-10T03:20:50.597584Z",
	"deleted_at": null,
	"sha1_hash": "451fc686c67e9ee06f8e6e17ff25532afae114ea",
	"title": "XSLT Stylesheet Scripting Using \u003cmsxsl:script\u003e",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 77036,
	"plain_text": "XSLT Stylesheet Scripting Using \u003cmsxsl:script\u003e\r\nBy dotnet-bot\r\nArchived: 2026-04-05 21:15:46 UTC\r\nThe XslTransform class supports embedded scripting using the script element.\r\nThe XslTransform class supports embedded scripting using the script element. When the style sheet is loaded,\r\nany defined functions are compiled to Microsoft intermediate language (MSIL) by being wrapped in a class\r\ndefinition and have no performance loss as a result.\r\nThe \u003cmsxsl:script\u003e element is defined below:\r\n\u003cmsxsl:script language = \"language-name\" implements-prefix = \"prefix of user namespace\"\u003e \u003c/msxsl:script\u003e\r\nwhere msxsl is a prefix bound to the namespace urn:schemas-microsoft-com:xslt .\r\nThe language attribute is not mandatory, but if specified, its value must be one of the following: C# , VB ,\r\nJScript , JavaScript , VisualBasic , or CSharp . If not specified, the language defaults to JScript. The\r\nlanguage-name is not case-sensitive, so 'JavaScript' and 'javascript' are equivalent.\r\nThe implements-prefix attribute is mandatory. This attribute is used to declare a namespace and associate it\r\nwith the script block. The value of this attribute is the prefix that represents the namespace. This namespace can be\r\ndefined somewhere in a style sheet.\r\nBecause the msxsl:script element belongs to the namespace urn:schemas-microsoft-com:xslt , the style\r\nsheet must include the namespace declaration xmlns:msxsl=urn:schemas-microsoft-com:xslt .\r\nIf the caller of the script does not have SecurityPermissionFlag access permission, then the script in a style sheet\r\nwill never compile and the call to Load will fail.\r\nIf the caller has UnmanagedCode permission, the script compiles, but the operations that are allowed are\r\ndependent on the evidence that is supplied at load time.\r\nIf you are using one of the Load methods that take an XmlReader or XPathNavigator to load the style sheet, you\r\nneed to use the Load overload that takes an Evidence parameter as one of its arguments. To provide evidence, the\r\ncaller must have SecurityPermissionFlag permission to supply Evidence for the script assembly. If the caller\r\ndoes not have this permission, then they can set the Evidence parameter to null . This causes the Load function\r\nto fail if it finds script. The ControlEvidence permission is considered a very powerful permission that should\r\nonly be granted to highly trusted code.\r\nTo get the evidence from your assembly, use this.GetType().Assembly.Evidence . To get the evidence from a\r\nUniform Resource Identifier (URI), use Evidence e =\r\nhttps://docs.microsoft.com/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script\r\nPage 1 of 5\n\nXmlSecureResolver.CreateEvidenceForUrl(stylesheetURI) .\r\nIf you use Load methods that take an XmlResolver but no Evidence , the security zone for the assembly defaults\r\nto Full Trust. For more information, see SecurityZone and Named Permission Sets.\r\nFunctions can be declared within the msxsl:script element. The following table shows the namespaces that are\r\nsupported by default. You can use classes outside the listed namespaces. However, these classes must be fully\r\nqualified.\r\nDefault Namespaces Description\r\nSystem System class.\r\nSystem.Collection Collection classes.\r\nSystem.Text Text classes.\r\nSystem.Text.RegularExpressions Regular expression classes.\r\nSystem.Xml Core XML classes.\r\nSystem.Xml.Xsl XSLT classes.\r\nSystem.Xml.XPath XML Path Language (XPath) classes.\r\nMicrosoft.VisualBasic Classes for Microsoft Visual Basic scripts.\r\nWhen a function is declared, it is contained in a script block. Style sheets can contain multiple script blocks, each\r\noperating independent of the other. That means that if you are executing inside a script block, you cannot call a\r\nfunction that you defined in another script block unless it is declared to have the same namespace and the same\r\nscripting language. Because each script block can be in its own language, and the block is parsed according to the\r\ngrammar rules of that language parser, you must use the correct syntax for the language in use. For example, if\r\nyou are in a C# script block, then it is an error to use an XML comment node \u003c!-- an XML comment --\u003e in the\r\nblock.\r\nThe supplied arguments and return values defined by the script functions must be one of the World Wide Web\r\nConsortium (W3C) XPath or XSLT types. The following table shows the corresponding W3C types, the\r\nequivalent .NET Framework classes (Type), and whether the W3C type is an XPath type or XSLT type.\r\nType Equivalent .NET Framework Class (Type) XPath type or XSLT type\r\nString System.String XPath\r\nBoolean System.Boolean XPath\r\nNumber System.Double XPath\r\nResult Tree Fragment System.Xml.XPath.XPathNavigator XSLT\r\nhttps://docs.microsoft.com/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script\r\nPage 2 of 5\n\nType Equivalent .NET Framework Class (Type) XPath type or XSLT type\r\nNode Set System.Xml.XPath.XPathNodeIterator XPath\r\nIf the script function utilizes one of the following numeric types: Int16, UInt16, Int32, UInt32, Int64, UInt64,\r\nSingle, or Decimal, they are forced to Double, which maps to the W3C XPath type number. All other types are\r\nforced to a string by calling the ToString method.\r\nIf the script function utilizes a type other than the ones mentioned above, or if the function does not compile when\r\nthe style sheet is loaded into the XslTransform object, an exception is thrown.\r\nWhen using the msxsl:script element, it is highly recommended that the script, regardless of language, be\r\nplaced inside a CDATA section. For example, the following XML shows the template of the CDATA section\r\nwhere your code is placed.\r\n\u003cmsxsl:script implements-prefix='yourprefix' language='CSharp'\u003e\r\n \u003c![CDATA[\r\n ... your code here ...\r\n ]]\u003e\r\n\u003c/msxsl:script\u003e\r\nIt is highly recommended that all script content be placed in a CDATA section, because operators, identifiers, or\r\ndelimiters for a given language have the potential of being misinterpreted as XML. The following example shows\r\nthe use of the logical AND operator in script.\r\n\u003cmsxsl:script implements-prefix='yourprefix' language='CSharp'\u003e\r\n public string book(string abc, string xyz)\r\n {\r\n if ((abc == bar) \u0026\u0026 (abc == xyz)) return bar + xyz;\r\n else return null;\r\n }\r\n\u003c/msxsl:script\u003e\r\nThis throws an exception because the ampersands are not escaped. The document is loaded as XML, and no\r\nspecial treatment is applied to the text between the msxsl:script element tags.\r\nThe following example uses an embedded script to calculate the circumference of a circle given its radius.\r\nusing System;\r\nusing System.IO;\r\nusing System.Xml;\r\nusing System.Xml.XPath;\r\nusing System.Xml.Xsl;\r\n \r\npublic class Sample\r\nhttps://docs.microsoft.com/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script\r\nPage 3 of 5\n\n{\r\n private const String filename = \"number.xml\";\r\n private const String stylesheet = \"calc.xsl\";\r\n \r\n public static void Main()\r\n {\r\n //Create the XslTransform and load the style sheet.\r\n XslTransform xslt = new XslTransform();\r\n xslt.Load(stylesheet);\r\n \r\n //Load the XML data file.\r\n XPathDocument doc = new XPathDocument(filename);\r\n \r\n //Create an XmlTextWriter to output to the console.\r\n XmlTextWriter writer = new XmlTextWriter(Console.Out);\r\n writer.Formatting = Formatting.Indented;\r\n \r\n //Transform the file.\r\n xslt.Transform(doc, null, writer, null);\r\n writer.Close();\r\n }\r\n}\r\nnumber.xml\r\n\u003c?xml version='1.0'?\u003e\r\n\u003cdata\u003e\r\n \u003ccircle\u003e\r\n \u003cradius\u003e12\u003c/radius\u003e\r\n \u003c/circle\u003e\r\n \u003ccircle\u003e\r\n \u003cradius\u003e37.5\u003c/radius\u003e\r\n \u003c/circle\u003e\r\n\u003c/data\u003e\r\ncalc.xsl\r\n\u003cxsl:stylesheet version=\"1.0\" xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\"\r\n xmlns:msxsl=\"urn:schemas-microsoft-com:xslt\"\r\n xmlns:user=\"urn:my-scripts\"\u003e\r\n \r\n \u003cmsxsl:script language=\"C#\" implements-prefix=\"user\"\u003e\r\n \u003c![CDATA[\r\n public double circumference(double radius)\r\n {\r\n double pi = 3.14;\r\nhttps://docs.microsoft.com/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script\r\nPage 4 of 5\n\ndouble circ = pi*radius*2;\n return circ;\n }\n ]]\u003e 1275.3637.5235.5 XslTransform Class Implements the XSLT Processor\nSource: https://docs.microsoft.com/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script\nhttps://docs.microsoft.com/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://docs.microsoft.com/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script"
	],
	"report_names": [
		"xslt-stylesheet-scripting-using-msxsl-script"
	],
	"threat_actors": [],
	"ts_created_at": 1775434305,
	"ts_updated_at": 1775791250,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/451fc686c67e9ee06f8e6e17ff25532afae114ea.pdf",
		"text": "https://archive.orkl.eu/451fc686c67e9ee06f8e6e17ff25532afae114ea.txt",
		"img": "https://archive.orkl.eu/451fc686c67e9ee06f8e6e17ff25532afae114ea.jpg"
	}
}