Should we remove XSLT from the web platform?
9 days ago
- #XSLT
- #Browser Standards
- #Web Security
- XSLT v1.0, standardized in 1999, is outdated compared to newer versions (v2.0, v3.0).
- Client-side XSLT usage has declined due to JavaScript libraries/frameworks like JSON+React.
- Browser XSLT libraries (e.g., libxslt) are aging C/C++ codebases prone to memory safety vulnerabilities.
- XSLT has been a source of high-profile security exploits, posing risks to browser users.
- Proposal to deprecate and remove XSLT from web standards to reduce attack surface and simplify the platform.
- Focus engineering resources on securing modern web technologies without practical loss for developers.
- Clarification: Deprecation does not target XML usage in other web APIs, only XSLT-specific mentions.