Google has announced its decision to remove components from the Chromium browser engine in order to support the XML document transformation language XSLT. The move is aimed at reducing the attack surface by discontinuing the use of the library libxslt. According to Google, the support for XSLT 1.0 poses unnecessary security risks due to periodic discoveries of vulnerabilities in the libxslt library (such as CVE-2025-7425 and CVE-2022-22834) and maintenance issues (the library remained without maintenance and vulnerability patches from June to September). Similar decisions are being considered by the Firefox and WebKit projects.
Despite the fact that client support for XSLT is currently unclaimed and rarely used, vulnerabilities in XSLT pose risks for browser attacks. Tasks related to converting data to HTML can be accomplished more securely using JavaScript APIs such as DOMParser and Fetch. Google’s statistics show that only 0.02% of loaded web pages use XSLT, and the share of pages utilizing XSLT processing instructions is estimated at 0.001%.
Additionally, it has been decided to discontinue the use of the library libxml2 in Chromium, as it also experiences regular vulnerabilities and maintenance issues