Comment by JimDabell

8 days ago

> Why can’t things remain backwards compatible forever?

I already said why:

> The complexity and attack surface area isn’t justified by its utility, so it’s hard to make the case for keeping it.

If you read the GitHub issue that this submission links to, the issue points out security vulnerabilities and links to:

> Although XSLT in web browsers has been a known attack surface for some time, there are still plenty of bugs to be found in it, when viewing it through the lens of modern vulnerability discovery techniques. In this presentation, we will talk about how we found multiple vulnerabilities in XSLT implementations across all major web browsers. We will showcase vulnerabilities that remained undiscovered for 20+ years, difficult to fix bug classes with many variants as well as instances of less well-known bug classes that break memory safety in unexpected ways. We will show a working exploit against at least one web browser using these bugs.

— https://www.offensivecon.org/speakers/2025/ivan-fratric.html

1 comment

JimDabell

em-bee 8 days ago

for those who have been looking, the actual presentation where they talk about this appears to be here: https://youtu.be/U1kc7fcF5Ao