Export (0) Print
Expand All
This topic has not yet been rated - Rate this topic

Security of Text Templates

Text templates have the following security concerns:

  • Text templates are vulnerable to arbitrary code insertions.

  • If the mechanism that the host uses to find a directive processor is not secure, a malicious directive processor could be run.

When you write a template, you can put any code within the <# #> tags. This allows arbitrary code to be executed from within a text template.

Be sure you obtain templates from trusted sources. Also, be sure to warn end users not to execute templates that come from non-trusted sources.

The text template transformation process takes a text template file as the input, and then produces a new text file as the output. The engine component controls the process. It interacts with a text template transformation host and one or more text template directive processors to complete the process. For more information, see Architecture of the Text Template Transformation Process.

If the mechanism that the host uses to find a directive processor is not secure, a malicious directive processor could be run. The malicious directive processor could provide code that is run in FullTrust mode when the template is run. If you create a custom text template transformation host, you must use a secure mechanism, such as the registry, to locate directive processors.

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft. All rights reserved.