> their concerns about security just being the pretext.

It seems entirely reasonable to be concerned about XSLT’s effects on security:

> Although XSLT in web browsers has been a known attack surface for some time, there are still plenty of bugs to be found in it, when viewing it through the lens of modern vulnerability discovery techniques. In this presentation, we will talk about how we found multiple vulnerabilities in XSLT implementations across all major web browsers. We will showcase vulnerabilities that remained undiscovered for 20+ years, difficult to fix bug classes with many variants as well as instances of less well-known bug classes that break memory safety in unexpected ways. We will show a working exploit against at least one web browser using these bugs.

— https://www.offensivecon.org/speakers/2025/ivan-fratric.html

— https://www.youtube.com/watch?v=U1kc7fcF5Ao

AFAIK browsers rely on an old version of xslt libraries and haven’t upgraded to newer versions

They also seem to be putting pressure on the library maintainer resulting in them saying they’re not going to embargo security bugs