I dunno why nobody used things like external includes in XML, but the worst parts of YAML were there too. (But at least, I think XML doesn't have macro expansions, so that's a win.)

▲

mpyne 17 hours ago | parent | next [-]

> I dunno why nobody used things like external includes in XML

In practice they led to fairly severe security vulnerabilities. "XXE" used to be an OWASP Web Top 10 issue, and the reason it dropped off the list was because XML mostly went away, not because it stopped being a thing.

> But at least, I think XML doesn't have macro expansions, so that's a win.

XML, like HTML, has entities that can be expanded. Unlike HTML you can define them in XML and this led to the "Billion laughs attack": https://en.wikipedia.org/wiki/Billion_laughs_attack

	▲	marcosdumay 14 hours ago \| parent [-]
		> In practice they led to fairly severe security vulnerabilities. Well, that seems to not matter for the people writing YAML. > XML, like HTML, has entities that can be expanded. Lol! Of course I'd be wrong about that. Expecting XML not to have a well known security vulnerability is a losing proposition.

▲

actionfromafar 17 hours ago | parent | prev [-]

At least in XML you could easily see where a tag ended and a single whitespace too much or too little wasn't sure to make your day worse. (Though, sometimes it did.)