> There are definitely situations where you need to have project defined XSLT.
Possibly so, but "skins" shouldn't be one of them? Just out of interest can you give a concrete example? > We use a comination of chroot jails (if shell access) and URIResolvers to keep the > dev-user where they should be. Also, since we use Saxon, we turn off extensions > with: <snip> > What am I missing? :-o Got me, but I'd guess an infinitely looping XSLT DOS attack is a potential problem? Other than that, if Saxon (or the underlying Java engine) has any potential buffer overflow problems, or other Sandbox leaks then you've given people a nice Worm building environment (since XSLT is Turing complete)... --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
