I am working on an application that includes XSL transformation via the System.Xml.Xsl.XslCompiledTransform class (.NET 4.5). I completely control the stylesheets, and there are no extensions or external resources in it (XsltSettingsEnableScript and XsltSettingsEnableDocumentFunction are both false). I do not control the input XML, though.
My question is: for security purposes, should I validate the input XML against a schema both beforeand after the transformation? I would like to validate only after transformation, but I am concerned that I might be exposing the system to a vulnerability of which I'm unaware.
Any advice is most welcome!