Google has decided to remove components supporting the XML document transformation language (XSLT) from the Chromium browser engine. The cited reason is a desire to reduce the attack surface by discontinuing the use of the libxslt library. Google believes that support for XSLT 1.0 creates unnecessary security risks, as libxslt is periodically vulnerable (e.g., CVE-2025-7425 and CVE-2022-22834) and has maintenance issues (from June to September, the library was unmaintained and without vulnerability patches). The Firefox and WebKit projects are also considering removing XSLT support.
XSLT vulnerabilities are becoming a tool for attacking browsers, despite the fact that client-side XSLT support is currently unneeded and rarely used, and HTML data conversion tasks can be performed more securely using JavaScript APIs such as DOMParser and Fetch. According to Google statistics, the share of loaded web pages that use XSLT is 0.02%, while the share of pages that use XSLT processing instructions is estimated at 0.001%.
Similarly, it was decided to discontinue the use of the libxml2 library in Chromium, which is also regularly found to have vulnerabilities and maintenance issues. Chromium uses libxml2 to parse, serialize, and validate XML data, and libxslt is used to implement the XSLTProcessor class and XSLT processing instructions (" »).
Support for libxslt-based features, such as the XSLTProcessor API and XML stylesheet parsing instructions, will be deprecated in Chrome 155, scheduled for November 17, 2026. In Chrome 143, scheduled for December 2, 2025, a warning will be added to the web console about the deprecation of the XSLTProcessor API. In Chrome 148 (spring 2026), XSLT support will be disabled by default in the Canary, Dev, and Beta branches. XML parsing functionality will remain, but will be migrated to a new library written in Rust with an eye on security.
As a replacement for built-in browser XSLT support, it is proposed to move XSLT processing to the server side and send pre-formatted HTML content to clients. Handlers that use the XML API for client-server interaction are proposed to be replaced with the JSON format and rendering by converting JSON to HTML/CSS using JavaScript. Potential alternatives also include the Saxonica JavaScript library with an XSLT implementation, a polyfill for legacy code compatibility that offers a WASM-based replacement for XSLTProcessor, and a browser add-on that automatically inserts the polyfill into XML documents.
Source: opennet.ru
