One point from one of the linked threads I find particularly puzzling:
> I think the issue with XSLT isn't necessarily the size of the attack surface, it's the lack of attention and usage.
> I.e. nearly 100% of sites use JS, while 1/10000 of those use XSLT. So all of the engineering energy (rightfully) goes to JS, not XSLT.
XSLT is a finished standard. Not everything needs to evolve. If the implementation works and is safe, what speaks against keeping it?
One point from one of the linked threads I find particularly puzzling:
> I think the issue with XSLT isn't necessarily the size of the attack surface, it's the lack of attention and usage.
> I.e. nearly 100% of sites use JS, while 1/10000 of those use XSLT. So all of the engineering energy (rightfully) goes to JS, not XSLT.
XSLT is a finished standard. Not everything needs to evolve. If the implementation works and is safe, what speaks against keeping it?