Re: [xsl] Using xsl:output in browsers, was: Re [xsl] XHTML html validation

Subject: Re: [xsl] Using xsl:output in browsers, was: Re [xsl] XHTML html validation
From: Abel Braaksma <abel.online@xxxxxxxxx>
Date: Mon, 19 Feb 2007 23:27:24 +0100
Manfred Staudinger wrote:
There is another downside of Sarissa as it uses active-x. In corporate and
government networks you will find it frequently disabled. A better solution
would have been to use a PI and to load the document into iframes. This
way the transformation is not dependent on JS either.


No, this is a misunderstanding of Sarissa. Sarissa makes the interface to XSLT Transformations available in a browser uniform way. IE5 and IE6 happen to use ActiveX for this (as for many many other features, as soon as you manipulate the DOM by script you invoke ActiveX), Sarissa can't help that.

Most companies I've seen, have the security settings quite high, but allow safe ActiveX controls. The reason is simple: almost no HTML enabled help page will work if you disable this, most of microsoft.com will not work and certainly not the windowsupdate.com (which is something administrators visit often). But I agree, it is a downside which is solved in IE7 where no ActiveX is involved anymore.

(as a side note, a potentially much more dangerous control, XMLHttpRequest, is also ActiveX, but does not fall under the same security restrictions because it is invoked differently.... strange world, isn't it?)

Using a PI involves the same ActiveX control, if the company cares for security, it may have disabled this entirely. Furthermore, many people consider it bad practice to show the contents of data when you request the source of a file, but that is a many debated subject.

I could drag on about the unmanageability of using PIs, its lack of parameter passing possibilities, its complete lack of flexibility, the impossibility to use or reuse parts of the result of the transformation, or the transformation objects itself and the extra effort that is needed to make all the pieces of your website work together. In the 'Ajax' community they have understood this and use browser based javascript invoked transformations. But like I said, I could go on and on, but if you know all the drawbacks and if you are willing to pay the extra effort involved, it is quite a stable and save path to go (and not popups about ActiveX, but instead, maybe, popups about cross-frame scripting).

-- Abel

Current Thread