<-prev [Thread] next-> <-prev [Date] next->
Month Index | List Home

Re: Any XSL Based Internet Sites Out There?

Subject: Re: Any XSL Based Internet Sites Out There?
From: "Peter Bryant" <pbryant@xxxxxxxxxxx>
Date: Sat, 26 Feb 2000 05:06:02 +1300
> > My company will be starting a beta within the next few days.  This beta
will
> > allow internet users to set up their own web site on our server, create
XML
> > content and upload their own XSL files to render this content.
>
> I considered something like this a while ago, with the 30-second elevator
> pitch being "GeoCities for XML". The problem is protecting yourself from
> a denial of service attack, which requires some large hacks to an XSL
> processor.
>
> If you just slap together a file upload servlet with an XSLT servlet, it's
> trivial for someone to upload a stylesheet that eats up all your CPU/heap,
> or worse, attacks other sites via the document() function, or even
> a DOCTYPE declaration. Allowing your servers to be used to fetch external
> documents may be a source of abuse. Then there's the "eval" extensions
> in some parsers that allow escape to calling Java code.

We've installed a custom Java security manager on top of XT (available upon
request if anyone wants it).  It restricts access to pretty much everything.
We do leave the document fuction open (actually socket requests out port 80)
since this is a brilliant way of incorporating external XML data islands.
The eval extensions (and XT has a java code namespace) had to be commented
out in the code.  James, PLEASE provide an API to disable the use of java in
a stylesheet!

>
> The only thing transformation on the server buys you is saving the user
> the pain of installing XSLT. Once transformed, you can just leave a static
> version on the site. Thus, the real differentiation will come when dynamic
> data is allowed. Anyway, it's still nice, but it not quite the earth
shattering
> service that offering free 20mb of webspace is, in comparison.
The service we provide is an application where the content is very dynamic.
Thus we do have to re-render pages.  However, we are making agressive use of
caching in an Oracle database with as many pages as we can.

> - -Ray

Anyone interested in trying out their XSL skill writing custom pages for
this application are welcome to apply for our beta program (could be a good
way of getting XSL on your resume....)

Peter Bryant
CTO, Infopop Corporation
Adding Life To Your Site
http://infopop.com
Want to work with XSL, XML, servlets, Oracle & Internet?  We're hiring!



 XSL-List info and archive:  http://www.mulberrytech.com/xsl/xsl-list
Current Thread
<- PreviousIndexNext ->
Re: Any XSL Based Internet Sites Ou, Ray Cromwell Thread RE: Any XSL Based Internet Sites Ou, James Tauber
Use of {}, Richard Birkby Date Some questions..., Omar López Ruiz
Month