Well, that's not exactly true, at least on Microsoft platform. While we at this, here is some refresher for this important to know topic: MSXML 6.0 XS: T Security: Untrusted style sheets are those that come from an untrustworthy domain.
However, if you use MSXML 6.0 via script in Internet Explorer to execute transformations, when the Allow Xslt Script property is set to , Internet Explorer's security settings are used for executing.
The DOM supports XSLT transformations via calls to the transform Node and transform Node To Object methods.
XSLT supports scripting inside style sheets using the element.
This allows custom functions to be used in an XSLT transformation. If you require scripting in your XSLT transformations, you can enable the feature by setting the Allow Xslt Script Property to Internet Explorer uses MSXML 3.0 by default, so when using the MIME viewer to transform scripts, Internet Explorer's security settings are used.
It is possible to extend the power of XSLT using Java Script embedded into the XSL file.Therefore any web application that allows the user to upload their own XSL file will be vulnerable to Cross Site Scripting attacks. NET (since 2.0) don't allow script extensions and document() function in XSLT by default. So the truth is s bit different: any web application that allows the user to upload their own XSL file and explicitly allows executing embedded scripts will be vulnerable to Cross Site Scripting attacks.