| ▲ | neilk 17 hours ago | |||||||
XSLT is being exploited right now for security vulnerabilities, and there is no solution on the horizon. The browser technologies that people actually use, like JavaScript, have active attention to security issues, decades of learnings baked into the protocol, and even attention from legislators. You imagine that XSLT is more secure but it’s not. It’s never been. Even pure XSLT is quite capable of Turing-complete tomfoolery, and from the beginning there were loopholes to introduce unsafe code. As they say, security is not a product, it’s a process. The process we have for existing browser technologies is better. That process is better because more people use it. But even if we were to try to consider the technologies in isolation, and imagine a timeline where things were different? I doubt whether XML+XSLT is the superior platform for security. If it had won, we’d just have a different nightmare of intermingled content and processing. Maybe more stuff being done client-side. I expect that browser and OS manufacturers would be warping content to insert their own ads. | ||||||||
| ▲ | NL807 6 hours ago | parent | next [-] | |||||||
>You imagine that XSLT is more secure but it’s not. It’s never been. Even pure XSLT is quite capable of Turing-complete tomfoolery, and from the beginning there were loopholes to introduce unsafe code. Are there examples of this? | ||||||||
| ▲ | array_key_first 10 hours ago | parent | prev [-] | |||||||
> The browser technologies that people actually use, like JavaScript, have active attention to security issues, decades of learnings baked into the protocol, and even attention from legislators. Yes, they also have much more vulnerabilities, because browsers are JIT compiling JS to w+x memory pages. And JS continues to get more complex with time. This is just fundamentally not the case with XSLT. We're comparing a few XSLT vulnerabilities to hundreds of JIT compiler exploits. | ||||||||
| ||||||||