← Back to context

Comment by dfabulich

8 hours ago

Blame Apple and Mozilla, too, then. They all agreed to remove it.

They all agreed because XSLT is extremely unpopular and worse than JS in every way. Performance/bloat? Worse. Security? MUCH worse. Language design? Unimaginably worse.

EDIT: I wrote thousands of lines of XSLT circa 2005. I'm grateful that I'll never do that again.

19 comments

dfabulich

Reply
stickfigure  8 hours ago

This is only repeated by people who have never used it.

XSLT is still a great way of easily transforming xml-like documents. It's orders of magnitude more concise than transforming using Javascript or other general programming languages. And people are actively re-inventing XSLT for JSON (see `jq`).

  • garethrowlands  6 hours ago

    I used to use XSLT a lot, though it was a while ago.

    You can use Javascript to get the same effect and, indeed, write your transforms in much the same style as XSLT. Javascript has xpath (still). You have a choice of template language but JSX is common and convenient. A function for applying XSLT-style matching rules for an XSLT push style of transform is only a few lines of code.

    Do you have a particular example where you think Javascript might be more verbose than XSLT?

  • mschuster91  8 hours ago

    I actually do have to work with raw XML and XSLTs every once in a while for a java-based CMS and holy hell, it's nasty.

    Java in general... Maven, trying to implement extremely simple things in Gradle (e.g. only execute a specific Thing as part of the pipeline when certain conditions are met) is an utter headache to do in the pom.xml because XML is not a programming language!

    • stickfigure  6 hours ago

      It is an unfortunate fact about our industry that all build tools suck. Tell me what your favorite build tool is and I can point at hundreds of HN threads ripping it to shreds. Maybe it's NPM? Cue the screams...

      I agree though, "XML is not a programming language" and attempts to use it that way have produced poor results. You should have seen the `ant` era! But this is broader than XML - look at pretty much every popular CI system for "YAML is not a programming language".

      That doesn't mean that XML isn't useful. Just not as a programming language.

      4 replies →

dfox  8 hours ago

> Security? MUCH worse.

Comparing single-purpose declarative language that is not even really turing-complete with all the ugly hacks needed to make DOM/JS reasonably secure does not make any sense.

Exactly what you can abuse in XSLT (without non-standard extensions) in order to do anything security relevant? (DoS by infinite recursion or memory exhaustion does not count, you can do the same in JS...)

  • dfabulich  5 hours ago

    If you would RTFA, they're removing XSLT specifically for security reasons. They provide the following links:

    https://www.offensivecon.org/speakers/2025/ivan-fratric.html

    > Although XSLT in web browsers has been a known attack surface for some time, there are still plenty of bugs to be found in it, when viewing it through the lens of modern vulnerability discovery techniques. In this presentation, we will talk about how we found multiple vulnerabilities in XSLT implementations across all major web browsers. We will showcase vulnerabilities that remained undiscovered for 20+ years, difficult to fix bug classes with many variants as well as instances of less well-known bug classes that break memory safety in unexpected ways. We will show a working exploit against at least one web browser using these bugs.

    https://nvd.nist.gov/vuln/detail/CVE-2025-7425

    https://nvd.nist.gov/vuln/detail/CVE-2022-22834

    (And, for the record, XSL is Turing-complete. It has xsl:variable, xsl:if, xsl:for-each, and xsl:apply-template function calls.)

cxr  7 hours ago

> They all agreed to remove it.

All those people suck, too.

Were you counting on a different response?

> XSLT is extremely unpopular and worse than JS in every way

This isn't a quorum of folks torpedoing a proposed standard. This is a decades-old stable spec and an established part of the Web platform, and welching on their end of the deal will break things, contra "Don't break the Web".

righthand  8 hours ago

They did not agree to remove it. This is a spun lie from the public posts I can see. They agreed to explore removing it but preferred to keep it for good reasons.

Only Google is pushing forward and twisting that message.

  • JimDabell  7 hours ago

    > They did not agree to remove it. This is a spun lie from the public posts I can see. They agreed to explore removing it but preferred to keep it for good reasons.

    Mozilla:

    > Our position is that it would be good for the long-term health of the web platform and good for user security to remove XSLT, and we support Chromium's effort to find out if it would be web compatible to remove support.

    https://github.com/mozilla/standards-positions/issues/1287#i...

    WebKit:

    > WebKit is cautiously supportive. We'd probably wait for one implementation to fully remove support, though if there's a known list of origins that participate in a reverse origin trial we could perhaps participate sooner.

    https://github.com/whatwg/html/issues/11523#issuecomment-314...

    Describing either of those as “they preferred to keep it” is blatantly untrue.

    • righthand  2 hours ago

      So you’re choosing to help them spin the lie by cherry picking comments.

      The Mozilla comment itself ends with:

      > If it turns out that it's not possible to remove support, then we think browsers should make an effort to improve the fundamental security properties of XSLT even at the cost of performance.

      > If it turns out not to be possible to remove the feature, we’d like to replace our current implementation. The main requirements would be compatibility with existing web content, addressing memory safety security issues, and not regressing performance on non-XSLT content. We’ve seen some interest in sandboxing libxslt, and if something with that shape satisfied our normal production requirements we would ship it.

      But the only way it’s possible to remove the feature is if you ignore everyone asking you to please not to remove it.

      Therefor by totally ignoring push back you can then twist Mozilla reps words to mean the only option is to remove it.

      Similarly with the Webkit comment:

      > WebKit is cautiously supportive.

      Both these orgs requested investigation not removal. Both expressed some concern and caution. Google did not, they only ever pushed forward with removing it. Even goong so far as to ignore the followup request to implement XSLT 3.0.

      No it’s not blatantly untrue. It’s unblatantly misleading.

      Furthermore I’d say for those specific comments, “go ahead and remove it”, the inverse is blatantly untrue.