In my webpage, I am going allow clients (X)HTML. To avoid XSS, I will use HTML Purifier, and disable the <script> tag (and some other dangerous tags).
Yet I would like to enable designers of those (X)HTML to use certain programming-like features, for example displaying a list of items, which would need a for-loop.
Then I came up with the idea that : users submit the XSL code, I provide the XML with the data required by the users.
As HTML Purifier cannot sanitise XSL code (can it?), my proposed flow would be:
[*]User submits a piece of XSL code.[*]In the server, there are som