Most active commenters
  • johncolanduoni(5)
  • lucumo(4)
  • notpushkin(3)
  • ekianjo(3)
  • sunaookami(3)

←back to thread

Show HN: JavaScript-free (X)HTML Includes

(github.com)
210 points Evidlo | 28 comments | 22 Aug 25 18:47 UTC | HN request time: 2.608s | source | bottom

(spoiler: its XSLT)

I've been working on a little demo for how to avoid copy-pasting header/footer boilerplate on a simple static webpage. My goal is to approximate the experience of Jekyll/Hugo but eliminate the need for a build step before publishing. This demo shows how to get basic templating features with XSL so you could write a blog post which looks like

  <?xml version="1.0"?>
  <?xml-stylesheet type="text/xsl" href="/template.xsl"?>
  <page>
      <title>My Article</title>
      <content>
          some content
          <ul>
              <li>hello</li>
              <li>hello</li>
          </ul>
      </content>
  </page>
Some properties which set this approach apart from other methods:

  - no build step (no need to setup Jekyll on the client or configure Github/Gitlab actions)
  - works on any webserver (e.g. as opposed to server-side includes, actions)
  - normal looking URLs (e.g. `example.com/foobar` as opposed to `example.com/#page=foobar`)
There's been some talk about removing XSLT support from the HTML spec [0], so I figured I would show this proof of concept while it still works.

[0]: https://news.ycombinator.com/item?id=44952185

See also: grug-brain XSLT https://news.ycombinator.com/item?id=44393817

Show context
shakna ◴[22 Aug 25 23:38 UTC] No.44991280[source]
As of the next version of Chrome, XSLT will be gated behind a flag.

Google have also asked for it to be removed from the standard [0].

[0] https://github.com/WHATWG/html/issues/11523

replies(5): >>44991471 #>>44991489 #>>44991500 #>>44991526 #>>44992056 #
1. SnuffBox ◴[23 Aug 25 00:00 UTC] No.44991500[source]
I find it bizarre that Google can just ask for a feature to be removed from standard and nobody bats an eye.
replies(6): >>44991546 #>>44992072 #>>44992210 #>>44992387 #>>44992424 #>>44994991 #
2. notpushkin ◴[23 Aug 25 00:05 UTC] No.44991546[source]
If I understand correctly, Mozilla and Apple don’t really want to support it either. And the reason for that is, the spec is still at XSLT 1.0, which is super old, and current implementations are effectively abandonware. Catch-22?
replies(2): >>44992390 #>>44992457 #
3. esrauch ◴[23 Aug 25 01:23 UTC] No.44992072[source]
It doesn't seem weird at all to me: standard is essentially the consensus of the major browser vendors; a spec which all of Chrome, Safari and Edge don't implement is really just a hypothetical.

The origin story of whatwg is that Apple, Mozilla and Opera decided that W3C wasn't making specs that they wanted to implement, so they created a new working group to make them.

4. chrismorgan ◴[23 Aug 25 01:44 UTC] No.44992210[source]
> nobody bats an eye

I’ve seen a lot of eye-batting about this. Although Google, Mozilla and Apple are all in favour of removing it, there’s been a lot of backlash from developers.

replies(1): >>44992793 #
5. ekianjo ◴[23 Aug 25 02:10 UTC] No.44992387[source]
Even "champion of the web" Mozilla is on board. Tells you exactly what you need to know.
6. ekianjo ◴[23 Aug 25 02:11 UTC] No.44992390[source]
The spec is at XLST 3 right now.
replies(2): >>44992447 #>>44995729 #
7. johncolanduoni ◴[23 Aug 25 02:17 UTC] No.44992424[source]
To be fair, some things should be legitimately considered to be removed from the standard. O.G. XHTML basically mandated that you accept XML logic bombs and we got over that.

Also, while this is certainly Google throwing their weight around, I don’t think they are doing it for monetary advantage. I’m not sure how removing XSLT burnishes their ad empire the way things like nerfing ManifestV3 have. I think their stated reasons - that libxslt is a security disaster zone for an obscure 90s-era feature - is earnest even if its not actually in the broader web’s best interests. Now that Safari is publicly on board to go second, I suspect it’s an inevitability.

replies(1): >>44993872 #
8. abraham ◴[23 Aug 25 02:20 UTC] No.44992447{3}[source]
Browsers only implement XSLT 1

https://meyerweb.com/eric/thoughts/2025/08/22/no-google-did-...

replies(1): >>44993269 #
9. johncolanduoni ◴[23 Aug 25 02:21 UTC] No.44992457[source]
I believe the spec is at XSLT 3.0 but no browser actually implemented past XSLT 1.0 (not 100% sure - almost nobody cared about this feature last month so hard to find good docs on support). HTML5 and C++ are cut from the same cloth - massive and no reference implementation so full of features that have been “standard” for 10 years but never implemented by anyone.
replies(2): >>44992805 #>>44992835 #
10. johncolanduoni ◴[23 Aug 25 03:15 UTC] No.44992793[source]
Most of whom had never heard of XSLT before today - some were likely born after it had faded into obscurity. I don’t blame people for hating Google for whatever reason, but this is a weird way to try to stick it to them.
replies(2): >>44994843 #>>44995108 #
11. arccy ◴[23 Aug 25 03:17 UTC] No.44992805{3}[source]
even outside of browsers barely anything supports XSLT newer than 1.0
12. notpushkin ◴[23 Aug 25 03:22 UTC] No.44992835{3}[source]
Yeah, sorry, the XSLT spec is at 3.0 right now of course, but the browsers don’t implement it, and the WHATWG HTML Living Standard only mentions XSLT 1.0.
13. ekianjo ◴[23 Aug 25 04:53 UTC] No.44993269{4}[source]
We were talking about the spec, not the implementation.
14. Mikhail_Edoshin ◴[23 Aug 25 06:53 UTC] No.44993872[source]
XML "logic bombs" happens when the parser expand entities eagerly. If a parser does that one can easily assemble an enormous entity that will eat up all the memory. But a more sophisticated parser won't expand entities right away and thus can merely reject oversized ones. It is really a minor issue.
replies(1): >>44999283 #
15. sunaookami ◴[23 Aug 25 10:17 UTC] No.44994843{3}[source]
XSLT is widely used, for example by the US congress: https://simonwillison.net/2025/Aug/19/xslt/
replies(1): >>44995506 #
16. TiredOfLife ◴[23 Aug 25 10:51 UTC] No.44994991[source]
Mozilla asked for removal. Google just filled the paperwork
17. ndriscoll ◴[23 Aug 25 11:14 UTC] No.44995108{3}[source]
More likely the people complaining are those who use it. I've been using it as the sane way to template my personal stuff for ~20 years. It works very well for "hand written" sites. I'm also not trying to be a top site or even visible to the wider world; my audience is my friends and family members. So to me it's a clear "that's not an important use case for the web now" signal.
18. lucumo ◴[23 Aug 25 12:28 UTC] No.44995506{4}[source]
Neither you nor the blog posts author had heard of that before that ridiculous GitHub issue from yesterday. You're all using the exact same link to the exact same page. This is intellectual dishonesty from you, the blog post author and the issue reporter.

Anyone who has read the response to the reporter knows that this is a cherry-picked alternative format. The normal format is an HTML5 page. Search engines just return that instead, so the only way to have found this page is by clicking through that.

replies(1): >>44995699 #
19. sunaookami ◴[23 Aug 25 13:06 UTC] No.44995699{5}[source]
So "it doesn't matter because other people already posted this example"?
replies(2): >>44997557 #>>44999267 #
20. JW_00000 ◴[23 Aug 25 13:10 UTC] No.44995729{3}[source]
When notpushkin said "the spec is still at XSLT 1.0", I think "the spec" is referring to the WHATWG HTML Living Standard spec, which only refers to XSLT 1.0. (It wouldn't make sense to say "the XSLT spec is at XSLT 1.0".)
replies(1): >>45034947 #
21. lucumo ◴[23 Aug 25 17:28 UTC] No.44997557{6}[source]
Is your intellectual dishonesty professional, or just a hobby?
replies(1): >>45003873 #
22. johncolanduoni ◴[23 Aug 25 21:25 UTC] No.44999267{6}[source]
I think their point was that for everything the US congress makes available through client-rendered XSLT, they already also do the transformation on their side and serve the HTML under another page. Which I think is part of Google’s point - you can just compile the XSLT offline once (or during your release process) and provide the same experience without rewriting anything.
replies(1): >>45010844 #
23. johncolanduoni ◴[23 Aug 25 21:28 UTC] No.44999283{3}[source]
There were other esoteric XML logic bomb inducing features is my recollection from all the stuff you used to have to change on the default XML Java parsers, but this was like 20 years ago so I may be misremembering.
replies(1): >>45002173 #
24. Mikhail_Edoshin ◴[24 Aug 25 07:39 UTC] No.45002173{4}[source]
I myself only remember the possible misuse of disk/URL reading features. These were indeed features and were added by design, but, of course, enabling them in non-trusted input could lead to all sorts of disasters.
25. sunaookami ◴[24 Aug 25 12:49 UTC] No.45003873{7}[source]
So no arguments, got it.
replies(1): >>45010850 #
26. lucumo ◴[25 Aug 25 06:27 UTC] No.45010844{7}[source]
> I think their point was that for everything the US congress makes available through client-rendered XSLT, they already also do the transformation on their side and serve the HTML under another page.

More or less. I wasn't really about that argument, it was about the intellectual dishonesty of ignoring that it exists.

The original GitHub issue contained that link and was almost immediately answered. Everyone reading the issue report could have, should have and probably did read the answer.

The blog post doesn't mention the argument exists. To be fair to that author, it sounds like it was mostly "oh cool, this exists post", which doesn't need to go into pros and cons.

We can't extend that goodwill to sunaookami. They used it as an example that it's "widely used". Willfully ignoring that this example is pretty minor. (If this is the best example, it's not a good sign, BTW...)

I don't really care about XSLT support in browsers, but I do care about intellectual honesty in these debates. Nobody needs to agree with the argument. AFAIC, it's perfectly okay to believe that this page is of vital importance to the world. But that argument should then be made. That's how we go forward. How we get better decisions. That's how everybody learns.

If on the other hand people only repeat each other's most impressive sounding examples, then everybody gets dumber. We're no longer working to take a good decision through good arguments, but we'd be working to justify a made decision through bad arguments.

27. lucumo ◴[25 Aug 25 06:28 UTC] No.45010850{8}[source]
Oh no, I have arguments. But you'd just pretend I said something else, so I see no point.
28. notpushkin ◴[27 Aug 25 02:52 UTC] No.45034947{4}[source]
Exactly. Thanks!