public override object GetOutput() { // XSL transforms expose many powerful features by default: // 1- we need to pass a null evidence to prevent script execution. // 2- XPathDocument will expand entities, we don't want this, so set the resolver to null // 3- We don't want the document function feature of XslTransforms. // load the XSL Transform XslCompiledTransform xslt = new XslCompiledTransform(); XmlReaderSettings settings = new XmlReaderSettings(); settings.XmlResolver = null; settings.MaxCharactersFromEntities = Utils.GetMaxCharactersFromEntities(); settings.MaxCharactersInDocument = Utils.GetMaxCharactersInDocument(); using (StringReader sr = new StringReader(_xslFragment)) { XmlReader readerXsl = XmlReader.Create(sr, settings, (string)null); xslt.Load(readerXsl, XsltSettings.Default, null); // Now load the input stream, XmlDocument can be used but is less efficient XmlReader reader = XmlReader.Create(_inputStream, settings, BaseURI); XPathDocument inputData = new XPathDocument(reader, XmlSpace.Preserve); // Create an XmlTextWriter MemoryStream ms = new MemoryStream(); XmlWriter writer = new XmlTextWriter(ms, null); // Transform the data and send the output to the memory stream xslt.Transform(inputData, null, writer); ms.Position = 0; return(ms); } }