Note that in most cases where you're concerned about security, you should already be running user-provided code -- including stylesheets -- in a Java "sandbox" environment, using Java's own security features to constrain what classes can be loaded, what parts of the filesystem can be accessed, and so on. If that can protect you from abusive Java, it certainly should be able to protect you from abusive Xalan.
______________________________________ "... Three things see no end: A loop with exit code done wrong, A semaphore untested, And the change that comes along. ..." -- "Threes" Rev 1.1 - Duane Elms / Leslie Fish ( http://www.ovff.org/pegasus/songs/threes-rev-11.html)
