(no title)

One point from one of the linked threads I find particularly puzzling:

> I think the issue with XSLT isn't necessarily the size of the attack surface, it's the lack of attention and usage.

> I.e. nearly 100% of sites use JS, while 1/10000 of those use XSLT. So all of the engineering energy (rightfully) goes to JS, not XSLT.

XSLT is a finished standard. Not everything needs to evolve. If the implementation works and is safe, what speaks against keeping it?