Any XSSI commands you include on a page will be invisible to the browser, which sees only the resulting HTML. This enables pages to be dynamically generated (the difference between server-side code like XSSI and dynamic HTML is that XSSI code is dynamic only at the time the page is requested, while dynamic HTML pages can continue to change once they're downloaded).
Unlike client-side scripting languages such as JavaScript, XSSI isn't dependent on the capabilities of the browser, so you can rest easy knowing your XSSI code will work even when some yahoo hits your page with a Newton.
What's more, XSSI is extremely "inexpensive" to the server, unlike CGI scripts. So you should feel free to do anything you can figure out how to do with XSSI; you needn't worry about slowing down the server your page is on. Also, many ISPs that would never allow you to run a CGI script will allow XSSI code on your page.
next page»