Comment by Devasta
3 months ago
Getting rid of XSLT from the browser would be a mistake, no doubt about it.
You can see it clear as day in the github thread that they weren't asking permission, they were doing it no matter what, all their concerns about security just being the pretext.
It would have been more honest of them to just tell everyone to go fuck themselves.
> their concerns about security just being the pretext.
It seems entirely reasonable to be concerned about XSLT’s effects on security:
> Although XSLT in web browsers has been a known attack surface for some time, there are still plenty of bugs to be found in it, when viewing it through the lens of modern vulnerability discovery techniques. In this presentation, we will talk about how we found multiple vulnerabilities in XSLT implementations across all major web browsers. We will showcase vulnerabilities that remained undiscovered for 20+ years, difficult to fix bug classes with many variants as well as instances of less well-known bug classes that break memory safety in unexpected ways. We will show a working exploit against at least one web browser using these bugs.
— https://www.offensivecon.org/speakers/2025/ivan-fratric.html
— https://www.youtube.com/watch?v=U1kc7fcF5Ao
AFAIK browsers rely on an old version of xslt libraries and haven’t upgraded to newer versions
They also seem to be putting pressure on the library maintainer resulting in them saying they’re not going to embargo security bugs
What do you think their real reason for wanting to remove XSLT is, if not what they claim?
They don't want to support it (because of their perceived cost-benefit ratio for what they're interested in developing/maintaining), and hence if it is removed from the browser standards then they aren't required to support it (as opposed to driving people to other browsers)? One could ask why do WebUSB and similar "standards" given those would seem (to me) to be a much greater security issue?
Why side with the megacorps on every thread, even when it doesn't relate to the big hotness of large language models?
https://news.ycombinator.com/item?id=44752546#44755224 - "Claude Opus 4 is 5x the price of Claude Sonnet 4. I don't think it's 5x as good."
> Why side with the megacorps
Reflexively siding with the tech majors is about as dogmatic as reflexively siding against them.
To increase the depth of their moat. XSLT would allow anybody with a minimum of effort to extract semantic information from the web.
XSLT is a terrible tool for that job. RDF combined with something like SPARQL is much closer to that, and makes for one of the greatest knowledge processing tools nobody ever uses.
XSLT is designed to work on XML while HTML documents are almost always SGML-based. The semantics don't work the same and applying XML engines on HTML often breaks things in weird and unexpected ways. basic HTML parsing rules like "a <head> tag doesn't need to be closed and can simply be auto-closed by a <body>" will seriously confuse XML engines. To effectively use XSLT to extract information from the web, you'd first need to turn HTML into XML.
3 replies →
> XSLT would allow anybody with a minimum of effort to extract semantic information from the web.
XSLT has been around for decades so why are you speaking in hypotheticals, as if it’s an up-and-coming technology that hasn’t been given a fair chance yet? If it hasn’t achieved that by now, it never will.
> a minimum of effort
That is not a combination of words that should be mentioned in the same sentence as the word XML or, even worse, XSLT.
XML has its value in enterprise and reliable application development because the tooling is very old, very mature and very reliable. But it's not something taught in university any more, it's certainly not taught in "coding bootcamps", simply because it's orders of magnitude more complex than JSON to wrap your head around.
Of course, JSON has jsonschema, but in practice most real-world usages of JSON just don't give a flying fuck.
I feel like this is overly conspiratorial. Likely they want to remove it because it's a pain to support, and used by an ever shrinking proportion of the internet. I don't even necessarily think removing support is a terrible thing, if you want to turn XML into HTML or whatever with XSLT you're still very welcome to do so, you just might have to do it server side rather than expecting every web browser to it for you.
There are other implementations of XSLT available besides libxslt, some even in Javascript. Security is something that could be overcome and they wouldn't need to break styling on RSS feeds or anything, it could be something like how FF has a js for dealing with PDFs.
It doesn't need to be some big conspiracy: they see the web as an application runtime instead of being about documents and information, don't give a fuck about XML technologies, don't use them internally and don't feel anyone else needs to.