I dunno why nobody used things like external includes in XML, but the worst parts of YAML were there too. (But at least, I think XML doesn't have macro expansions, so that's a win.)
> I dunno why nobody used things like external includes in XML
In practice they led to fairly severe security vulnerabilities. "XXE" used to be an OWASP Web Top 10 issue, and the reason it dropped off the list was because XML mostly went away, not because it stopped being a thing.
> But at least, I think XML doesn't have macro expansions, so that's a win.
At least in XML you could easily see where a tag ended and a single whitespace too much or too little wasn't sure to make your day worse. (Though, sometimes it did.)
In practice they led to fairly severe security vulnerabilities. "XXE" used to be an OWASP Web Top 10 issue, and the reason it dropped off the list was because XML mostly went away, not because it stopped being a thing.
> But at least, I think XML doesn't have macro expansions, so that's a win.
XML, like HTML, has entities that can be expanded. Unlike HTML you can define them in XML and this led to the "Billion laughs attack": https://en.wikipedia.org/wiki/Billion_laughs_attack