XSLT Injection Demo

c.xml

<?xml version="1.0" ?>
<fruits>
  <fruit>
    <name>Lemon</name>
    <description>Yellow and sour</description>
  </fruit>
  <fruit>
    <name>Watermelon</name>
    <description>Round, green outside, red inside</description>
  </fruit>
</fruits>

index.html

<html>
<body>

<form action="xslt.php" method="get">
Name: <input type="text" name="name"><br>
E-mail: <input type="text" name="email"><br>
<input type="submit">
</form>

</body>
</html>

xslt.php

<?php 
//ini_set('display_errors', 1);
//ini_set('display_startup_errors', 1);
//error_reporting(E_ALL);
echo $_GET["name"];
echo $_GET["email"]."\n";


$xml=new DOMDocument;

$xml->load('c.xml');

$myfile = fopen("xslt.xsl", "w");

$txt = "<?xml version=\"1.0\" encoding=\"utf-8\"?>
<xsl:stylesheet version=\"1.0\" xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\">
  <xsl:template match=\"/fruits\">".
    $_GET["name"]."
    Fruits:
    <!-- Loop for each fruit -->
    <xsl:for-each select=\"fruit\">
      <!-- Print name: description -->
      - <xsl:value-of select=\"name\"/>: <xsl:value-of select=\"description\"/>
    </xsl:for-each>
  </xsl:template>
</xsl:stylesheet>";

fwrite($myfile, $txt);
fclose($myfile);
$xsl=new DOMDocument;
$xsl->load("xslt.xsl");

$proc=new XSLTProcessor;
$proc->registerPHPFunctions();
$proc->importStyleSheet($xsl);

echo $proc->transformToXML($xml);

?>

If you're testing under xampp on windows you might need to edit \xampp\php\php.ini and uncomment extension=php_xsl.dll