我们应该从 Web 平台移除 XSLT 吗?
Should we remove XSLT from the web platform?

原始链接: https://github.com/whatwg/html/issues/11523

客户端XSLT标准化于1999年,正日益成为现代网络浏览器的安全风险。虽然XSLT已经发展超越其原始版本,但浏览器并未跟上,导致其逐渐被基于JavaScript的DOM操作(如JSON+React)所取代。 核心问题在于浏览器用来处理XSLT转换的陈旧、复杂的C/C++库(如libxslt)。这些库容易出现内存安全漏洞,并且收到的安全关注度远低于JavaScript引擎,尽管它们处理的是不受信任的网络内容。XSLT已经被用于最近一些高调的安全漏洞中。 该建议是废弃并从网络标准中移除XSLT——*而非* XML本身——以减少浏览器的攻击面,简化平台,并将安全工作重点放在积极使用的技术上。移除HTML/DOM标准中少量的XSLT引用将提供切实的安全性改进,对开发人员的影响最小。

## Hacker News 上关于移除 XSLT 的讨论 Hacker News 上正在讨论一项由谷歌推动的从网络浏览器中移除 XSLT 支持的提议。移除的核心理由在于维护负担、低使用率(页面加载量低于 0.01%)以及安全漏洞——最近的演示文稿强调了 20 多年前的错误。 然而,许多评论者对此提出反对,强调了向后兼容性的重要性,以及可能破坏现有网站和服务(例如通过 XML 提供政府数据)。人们对谷歌似乎毫不妥协的立场表示担忧,特别是关于 polyfill 解决方案的问题。 这场辩论也涉及更广泛的问题:网络平台日益复杂、推出新的浏览器引擎的难度,以及浏览器开发者与网络内容创建者之间的权力动态。一些人认为移除功能对于简化产品是必要的,而另一些人则批评对遗留系统的漠视,以及对依赖 XSLT 的开发人员的情感影响。一个反复出现的主题是对浏览器开发者缺乏对那些构建和维护较旧网络技术的开发者的尊重感到沮丧。
相关文章

原文

What is the issue with the HTML Standard?

XSLT v1.0, which all browsers adhere to, was standardized in 1999. In the meantime, XSLT has evolved to v2.0 and v3.0, adding features, and growing apart from the old version frozen into browsers. This lack of advancement, coupled with the rise of JavaScript libraries and frameworks that offer more flexible and powerful DOM manipulation, has led to a significant decline in the use of client-side XSLT. Its role within the web browser has been largely superseded by JavaScript-based technologies such as JSON+React. The underlying libraries that browsers use to process these transformations (e.g. libxslt in Chromium) are complex, aging C/C++ codebases. This type of code is notoriously susceptible to memory safety vulnerabilities like buffer overflows, which can lead to arbitrary code execution. Because client-side XSLT is now a niche, rarely-used feature, these libraries receive far less maintenance and security scrutiny than core JavaScript engines, yet they represent a direct, potent attack surface for processing untrusted web content. Indeed, XSLT is the source of several recent high-profile security exploits that continue to put browser users at risk.

For these reasons, I’d like to raise the question of whether we should deprecate and remove XSLT from the web standard. Doing so would directly reduce the browser's attack surface for all users, simplify the web platform, and allow engineering resources to be focused on securing the technologies that actually power the modern web, with no practical loss of capability for developers.

Just to be clear, the intention is not to deprecate the usage of XML (without XSLT) in other web platform APIs. Also, a side-note: much of XSLT isn't actually defined in the HTML/DOM standards. See whatwg/dom#181 for example. But we can potentially remove the few places that do mention it.

This question was raised recently in a WHATNOT meeting, but I’d like to have an issue where we can discuss and comment. Thoughts?

联系我们 contact @ memedata.com