Update 0: Fixed title, it's 5 rather than 4, and possibly another that's undisclosed.
Update 1: Apparently, GNOME bureaucracy is holding up the processing the application of a new maintainer for over a month now. Major browsers responded by deprecating/removing XSLT support. XSLT is/was mainly used for rendering and transforming SGML, HTML, and XML to other forms, I didn't even realize browsers supported it directly. https://gitlab.gnome.org/GNOME/libxslt/-/issues/150
> Please be aware: nobody will merge your fix because there are no active maintainers remaining. (If anybody is interested in maintaining libxslt, please let me know.) Having patches here will help a lot anyway, though, since downstream vendors will be able to use them.
I guess, technically, if libxslt isn't statically or dynamically linked in like browsers and some other programs do and only used as a build dep such as through xsltproc, there's not really a security issue after a build. For all runtime use / direct linking of libxslt, it's still a problem.
XSLT is a declarative language for transforming XML to other formats. XML is a pretty poor solution for configuration files (which is what everybody seemed to use it for back in the day) but works great for, you guessed it, marking up documents. If you have an XML schema for representing documents semantically you can then write an XSLT that quickly and efficiently converts it to, say, XHTML. This way you can work in a nice intermediate representation rich with meaning and specify the presentation as a function thereof.
It's not particularly sexy technology but it works well when used judiciously. Part of me wonders if XML will make some bizarre comeback in the era of LLMs for training data annotation or something similarly niche.
simoncion · 10m ago
XSLT are the "XSL Transformations".
As described in [0]
> XSLT ... is a language for transforming XML documents into other XML documents. ... XSLT is designed for use as part of XSL, which is a stylesheet language for XML.
If you don't know what "XML" is, go ask your favorite search engine.
If you want to know who uses XSLT, go review the existing discussion on the topic. In summary, it's a bunch of people that Google doesn't really care about (and almost certainly far more people than use WebUSB or WebMIDI [1] and the like).
I always thought of it as a specialized XML extension that describes transformations on other XML documents. Never used it, not sure why anything on my system uses it if I don't come across it in my daily software development life either but I have seen it as a dependency more times than I can remember.
"Remove mentions of XSLT from the html spec" (9 days ago, 388p, 534c) https://news.ycombinator.com/item?id=44952185
"XSLT removal will break multiple government and regulatory sites" (6 days ago, 157p, 142c) https://news.ycombinator.com/item?id=44987346
"Should the web platform adopt XSLT 3.0?" (6 days ago, 133p, 107c) https://news.ycombinator.com/item?id=44987552
"Google did not unilaterally decide to kill XSLT" (6 days ago, 102p, 130c) https://news.ycombinator.com/item?id=44987239
Update 1: Apparently, GNOME bureaucracy is holding up the processing the application of a new maintainer for over a month now. Major browsers responded by deprecating/removing XSLT support. XSLT is/was mainly used for rendering and transforming SGML, HTML, and XML to other forms, I didn't even realize browsers supported it directly. https://gitlab.gnome.org/GNOME/libxslt/-/issues/150
--- List
0: https://gitlab.gnome.org/GNOME/libxslt/-/issues/139
1: https://gitlab.gnome.org/GNOME/libxslt/-/issues/140
2: https://gitlab.gnome.org/GNOME/libxslt/-/issues/144
3: https://gitlab.gnome.org/GNOME/libxslt/-/issues/148
4: BIGSLEEP-433713988 https://issuetracker.google.com/issues/433713988
> Please be aware: nobody will merge your fix because there are no active maintainers remaining. (If anybody is interested in maintaining libxslt, please let me know.) Having patches here will help a lot anyway, though, since downstream vendors will be able to use them.
https://gitlab.gnome.org/GNOME/libxslt/-/issues/144#note_245...
List of FreeBSD ports that are unlikely to build without `make DISABLE_VULNERABILITIES=yes`:
https://pastebin.com/raw/5dQ2U46f
I guess, technically, if libxslt isn't statically or dynamically linked in like browsers and some other programs do and only used as a build dep such as through xsltproc, there's not really a security issue after a build. For all runtime use / direct linking of libxslt, it's still a problem.
It's not particularly sexy technology but it works well when used judiciously. Part of me wonders if XML will make some bizarre comeback in the era of LLMs for training data annotation or something similarly niche.
As described in [0]
> XSLT ... is a language for transforming XML documents into other XML documents. ... XSLT is designed for use as part of XSL, which is a stylesheet language for XML.
If you don't know what "XML" is, go ask your favorite search engine.
If you want to know who uses XSLT, go review the existing discussion on the topic. In summary, it's a bunch of people that Google doesn't really care about (and almost certainly far more people than use WebUSB or WebMIDI [1] and the like).
[0] <https://www.w3.org/TR/1999/PR-xslt-19991008>
[1] Yes, really.