[da_chicken]

That's not any different than JSON, though. Injection, insecure deserialization , etc. can all exist in that format as well.

There's plenty of reasons to criticize XML, and plenty more to criticize XSLT. But security being the one you call out feels at least moderately disingenuous. It's a criticism of the library, not the standard or the format.

[dtech]

There's an extremely large difference in that a JSON deserialization vulnerability is almost always a bug in the library. JSON is not an inherently insecure format.

XML is so complex that a 100% bug-free compliant library is inherently insecure, and the vulnerability is a "user is holding it wrong" siutation, they should have disabled specific XML features etc. That means XML is an inherently much more insecure format.

There's a reason there's name for vulnerabilities like XML External Entity (XXE) injection [1] and they're named after XML, and not "bug in lib/software X". JSON and most other data formats don't have that.

[1] https://portswigger.net/web-security/xxe

[Mikhail_Edoshin]

XML has a relatively small specification. For some time I used to "print" web pages into PDF (or XPS) and I remember that XML 1.0 specification was three times shorter than that of YAML (it was YAML 2, I think, I don't quite remember). And XML included a) serialization itself, b) simple grammar specification in the form of DTD, c) things like internal references from one element to another, d) basic support for other notations, so that you could add, say, LaTeX math notation and formally define that this element's content is in this notation. I do not think (b), (c) or (d) were part of YAML or any other similar format.