What is the issue with the HTML Standard?
XSLT v1.0, which all browsers adhere to, was standardized in 1999. In the meantime, XSLT has evolved to v2.0 and v3.0, adding features, and growing apart from the old version frozen into browsers. This lack of advancement, coupled with the rise of JavaScript libraries and frameworks that offer more flexible and powerful DOM manipulation, has led to a significant decline in the use of client-side XSLT. Its role within the web browser has been largely superseded by JavaScript-based technologies such as JSON+React. The underlying libraries that browsers use to process these transformations (e.g. libxslt in Chromium) are complex, aging C/C++ codebases. This type of code is notoriously susceptible to memory safety vulnerabilities like buffer overflows, which can lead to arbitrary code execution. Because client-side XSLT is now a niche, rarely-used feature, these libraries receive far less maintenance and security scrutiny than core JavaScript engines, yet they represent a direct, potent attack surface for processing untrusted web content. Indeed, XSLT is the source of several recent high-profile security exploits that continue to put browser users at risk.
For these reasons, I’d like to raise the question of whether we should deprecate and remove XSLT from the web standard. Doing so would directly reduce the browser's attack surface for all users, simplify the web platform, and allow engineering resources to be focused on securing the technologies that actually power the modern web, with no practical loss of capability for developers.
Just to be clear, the intention is not to deprecate the usage of XML (without XSLT) in other web platform APIs. Also, a side-note: much of XSLT isn't actually defined in the HTML/DOM standards. See whatwg/dom#181 for example. But we can potentially remove the few places that do mention it.
This question was raised recently in a WHATNOT meeting, but I’d like to have an issue where we can discuss and comment. Thoughts?