[tormeh]

Templated YAML - and all YAML eventually becomes templated - is so bad it makes me yearn for XML. We had it bad and we made it worse.

[marcosdumay]

I dunno why nobody used things like external includes in XML, but the worst parts of YAML were there too. (But at least, I think XML doesn't have macro expansions, so that's a win.)

[mpyne]

> I dunno why nobody used things like external includes in XML

In practice they led to fairly severe security vulnerabilities. "XXE" used to be an OWASP Web Top 10 issue, and the reason it dropped off the list was because XML mostly went away, not because it stopped being a thing.

> But at least, I think XML doesn't have macro expansions, so that's a win.

XML, like HTML, has entities that can be expanded. Unlike HTML you can define them in XML and this led to the "Billion laughs attack": https://en.wikipedia.org/wiki/Billion_laughs_attack

[marcosdumay]

> In practice they led to fairly severe security vulnerabilities.

Well, that seems to not matter for the people writing YAML.

> XML, like HTML, has entities that can be expanded.

Lol! Of course I'd be wrong about that.

Expecting XML not to have a well known security vulnerability is a losing proposition.

[actionfromafar]

At least in XML you could easily see where a tag ended and a single whitespace too much or too little wasn't sure to make your day worse. (Though, sometimes it did.)