←back to thread

Google is killing the open web, part 2

(wok.oblomov.eu)
418 points akagusu | 2 comments | 17 Nov 25 15:41 UTC | HN request time: 0s | source
Show context
nwellnhof ◴[17 Nov 25 16:33 UTC] No.45955183[source]
Removing XSLT from browsers was long overdue and I'm saying that as ex-maintainer of libxslt who probably triggered (not caused) this removal. What's more interesting is that Chromium plans to switch to a Rust-based XML parser. Currently, they seem to favor xml-rs which only implements a subset of XML. So apparently, Google is willing to remove standards-compliant XML support as well. This is a lot more concerning.
replies(11): >>45955239 #>>45955425 #>>45955442 #>>45955667 #>>45955747 #>>45955961 #>>45956057 #>>45957011 #>>45957170 #>>45957880 #>>45977574 #
zetafunction ◴[17 Nov 25 17:16 UTC] No.45955667[source]
https://issues.chromium.org/issues/451401343 tracks work needed in the upstream xml-rs repository, so it seems like the team is working on addressing issues that would affect standards compliance.

Disclaimer: I work on Chrome and have occasionally dabbled in libxml2/libxslt in the past, but I'm not directly involved in any of the current work.

replies(2): >>45955710 #>>45956175 #
Ygg2 ◴[17 Nov 25 17:20 UTC] No.45955710[source]
Wait. They are going along with a XML parser that supports DOCTYPES? I get XSLT is ancient and full of exploits, but so is DOCTYPE. Literally poster boy for billion laughs attack (among other vectors).
replies(3): >>45955868 #>>45956180 #>>45956321 #
1. fabrice_d ◴[17 Nov 25 18:07 UTC] No.45956180[source]
The billion laughs attack has well known solutions (basically, don't recurse too deep). It's not a reason to not implement DOCTYPE support.
replies(1): >>45963054 #
2. Ygg2 ◴[18 Nov 25 09:25 UTC] No.45963054[source]
> The billion laughs attack has well known solutions (basically, don't recurse too deep)

You can then recurse wide. In theory it's best to allow only X placeables of up to Y size.

The point is, Doctype/External entities do a similar thing to XSLT/XSD (replacing elements with other elements), but in a positively ancient way.