Just came across this today, and after thinking about it, sure, an xslt doc can actually write out other languages which then can do malicious harm.

Heck, a person utilizing xslt and too much time on his hands could send the binary data to a server that's awaiting a request.

But then it comes down to the developers, and data validation, and the proper use of DTD's or Schema's.

Am I living in a pipe dream? We will find out shortly!

[informationweek.com...]