Friday, November 30, 2007

KB936021 XML Core Services Update Breaks XSLT Transformation (which could be any BizTalk maps)

KB936021 - Microsoft Security Bulletin MS07-042 published on the 14th August 2007 which fixes the potential vulnerability of executing remote code via an XSLT file from within Microsoft Internet Explorer may break your BizTalk (all versions) implementation (or any XSLT transformation code) - Only applicable to BizTalk: but this is depending on how you have implemented your maps.

This update fixes, XML Core Services 3.0, 4.0 and version 6.0. Previously, the resolveExternals (part of the DOM interface) property was true by default allowing you to code something like the following in XSLT:-

<xsl:import href="addressbook_vv.xsl"/>

<xsl:call-template name="addressbookupdate_out_vv">
<xsl:with-param name="pdamgr" select="PDAMGR" />
This was possible before the fixpack because the DOM was true by default and BizTalk does not explicitly set it to true.

After installing this fixpack, the above code will not work because BizTalk uses the XML Core Services for XSLT transformation and doesn't explicitly set the resolveExternals property to true - which is what is required in order to call sub maps (sub XSLT templates within stylesheets).

But this depends on how you have written your maps in BizTalk. If you have used the BizTalk mapper or used .NET C#/VB.NET to create your maps then you will be OK. But the mapper tool is very inefficient so we have written our maps ourselfs by hand which use re-usable routines referenced as above. Now this is causing us an issue and will probebely have to be written in .NET.

UPDATE: In relation to BizTalk, Microsoft has told us there will probebly not be a hotfix in the future to allow you to set this property or force resolveExternals to true as they see this as a security risk.

If you are encountering an issue outside of BizTalk when trying to do a transformation with MS XML Core Services, then this is an easy fix. Simply set resolveExternals to true before you do the transformation.

No comments: