Lists Home |
Date Index |
On reflection, I think XInclude's security issues are really just a
subset of those that browsers have with XSLT, or at least are solvable
in the same way. XSLT allows you to fetch data from a local file
using document("file:///whatever") and even allows you to pass out
that information as part of a URL in another document() call.
I checked what Mozilla does in this case, and it appears to refuse
to fetch a file: URL from a document() call in a remote stylesheet.