Removing XSLT for a more secure browser
6 months ago
- #XSLT
- #Web Development
- #Chrome
- Chrome plans to deprecate and remove XSLT by late-2026, with Firefox and WebKit also planning removal.
- Two APIs being removed: XSLTProcessor class and XSLT Processing Instruction.
- Timeline includes deprecation warnings starting in Chrome 143 (Dec 2025) and full removal by Chrome 155 (Nov 2026).
- XSLT is a language for transforming XML documents into other formats like HTML, but its use has declined.
- Removal is due to security risks from aging C/C++ libraries and low usage (0.02% of web pages).
- Modern alternatives include JSON, JavaScript frameworks (React, Vue), and server-side processing.
- Migration options: server-side XSLT processing, client-side JavaScript libraries, polyfills, or Chrome extensions.
- Specific use cases addressed: RSS/Atom feeds, API output for embedded devices, and lazy templating for websites.
- Security improvements include replacing libxml2 with a memory-safe Rust-based XML parser.