This is the mail archive of the
xsl-list@mulberrytech.com
mailing list .
Re: Any XSL Based Internet Sites Out There?
- To: xsl-list at mulberrytech dot com
- Subject: Re: Any XSL Based Internet Sites Out There?
- From: Ray Cromwell <ray at precipita dot com>
- Date: Thu, 24 Feb 100 17:58:03 -0500 (EST)
- Reply-To: xsl-list at mulberrytech dot com
> Is there anyone out there using XSL to generate content for their web site?
> I'd be interested in hearing your experiences and finding out how widespread
> XSL is becoming.
Since last October, our site (MsgTo.com), has been using JSP, XML, and XSL
to "skin" or "theme" the site for email outsourcing. We provided email
outsourcing, but needed a way to customize the look of the site for each
client, without editing code. The solution was to use JSP to output
XML which is posted through XT on its way to the client. In doing so, we also
were also to do WAP/WML and VoxML versions of our site.
Of course, email has its own unique set of challenges, like filtering
and converting HTML emails to XHTML, but with dangerous Javascript et al
removed, and also handling stuff like cid:/mid: urls and multipart/related.
We will soon offer a service that allows users to design their own
"skin" for our website. However, care must be taken.
> My company will be starting a beta within the next few days. This beta will
> allow internet users to set up their own web site on our server, create XML
> content and upload their own XSL files to render this content.
I considered something like this a while ago, with the 30-second elevator
pitch being "GeoCities for XML". The problem is protecting yourself from
a denial of service attack, which requires some large hacks to an XSL
processor.
If you just slap together a file upload servlet with an XSLT servlet, it's
trivial for someone to upload a stylesheet that eats up all your CPU/heap,
or worse, attacks other sites via the document() function, or even
a DOCTYPE declaration. Allowing your servers to be used to fetch external
documents may be a source of abuse. Then there's the "eval" extensions
in some parsers that allow escape to calling Java code.
The only thing transformation on the server buys you is saving the user
the pain of installing XSLT. Once transformed, you can just leave a static
version on the site. Thus, the real differentiation will come when dynamic
data is allowed. Anyway, it's still nice, but it not quite the earth shattering
service that offering free 20mb of webspace is, in comparison.
-Ray
XSL-List info and archive: http://www.mulberrytech.com/xsl/xsl-list