Hacker News

Show HN: Xoscript

2026-01-1415:525945xoscript.com

The xoscript programming language is a server-side scripting language that has been in development under various names since 1993. In 2009, the project was restarted with a focus on research,…

The xoscript programming language is a server-side scripting language that has been in development under various names since 1993. In 2009, the project was restarted with a focus on research, localization, and educational use. Between 2020-2025, it became apparent that existing server-side scripting languages had grown increasingly complex and heavy over time, leading to concerns about attack surfaces, code quality, backward compatibility (due to frequent breaking changes) and control. In response, a new edition of the programming language has been released in 2026 under the name xoscript with the goal of providing a simple, secure environment for server-side scripting. xoscript emphasizes three core principles:

simplicity, security and backward compatibility.

Simplicity

Minimal syntax rules make the language easy to learn and remember. The entire language consists of no more than 5 grammar rules which should fit in human short-term memory. It should be trivial to learn the entire xoscript grammar by heart within minutes for most developers. The xoscript project practices strict design discipline and exercises restraint in language evolution, therefore refraining from introducing additional syntax as much as possible. The project covers the basic needs of server-side scripting but aims to remain as compact (and therefore auditable) as possible. Current gzipped binaries weigh about 300kb.

Security & Auditability


Designed with server use in mind, security is a key consideration. The xoscript project aims to minimize attack surfaces by providing a limited yet well-audited set of core functions, only the absolutely minimal dependencies (ffi,curl,mariadb,pcre2), sandboxing and sound crypto. The dependencies are carefully selected and chosen to provide secure parameterized database access (mariadb), basic network access (curl), pcre2 compliant regular expressions (pcre2) and foreign function capabilities (libffi). Only a single database connector is included (mariadb) to provide upgrade paths from LAMP environments and because this is one of the most used database systems globally. By providing only a single connector the project remains auditable and maintainable for the xoscript project. The xoscript project deliberately trades ecosystem breadth for auditability and control. Thus we provide a very tight API.

Backward Compatibility


Breaking changes negatively impact revenue by driving up maintenance costs, especially for legacy systems. The xoscript project aims to let developers write code once and run it forever, as far as that is realistically possible. A special backward compatibility feature allows developers to pin their program compatibility to a specific version without missing essential updates. Some design choices of xoscript are unconventional. These include: dynamic types, dynamic scope, fault tolerant Smalltalk-like message passing, prototype-like inheritance, whitespace sensitive syntax with operators (binary messages), asymmetrical literal string boundaries. All these design choices are deliberate and explained in the faq. They may appeal to some software developers more than others. It is therefore recommended to review the language details and familiarize oneself with the design before starting a project.

Permissive BSD License

xoscript is released under the BSD 2-Clause license. This is a simple, permissive open-source license that allows the code to be used, modified, and redistributed for any purpose, including commercial and proprietary use. Users are free to study the code, incorporate it into other projects, distribute modified or unmodified versions, and deploy it in private or commercial environments. The license imposes minimal requirements, primarily the preservation of copyright notices and disclaimers. The choice of the BSD 2-Clause license reflects the project's emphasis on simplicity, long-term usability, and minimal restrictions on adoption and deployment.

Commercial Support

Commercial support for xoscript is available for organizations that require professional assistance, custom features, or deployment guidance. Interested parties are encouraged to contact the project lead directly for details regarding services, pricing, and engagement options.

Apolitical and merit-based project

In recent years, broader social and political debates have increasingly entered technical communities and open-source projects. While such discussions may be relevant elsewhere, xoscript deliberately limits its scope to software engineering concerns. Aligning a project with particular political or ideological positions tends to attract some contributors while discouraging others. From a long-term perspective, this reduces the potential contributor pool and risks excluding valuable technical expertise for reasons unrelated to the quality of the work itself. xoscript is therefore an apolitical project. It does not adopt or enforce political, social, or ideological positions. Contributions are evaluated solely on their technical merit, correctness, and long-term impact on the project.

The project does not maintain a Code of Conduct. Non-technical, unconstructive, or ideological commentary is considered out of scope and is not taken into account when reviewing contributions. As long as contributions meet project standards and add value, they are considered. Personal opinions, affiliations, or worldviews are treated as irrelevant and do not influence contribution evaluation.


Read the original article

gabordemooij

Karma: 369
...
 @Hacker__News
@hacker._news

Comments

  • By inopinatus 2026-01-1419:221 reply 

        The None object represents emptiness, or better still, the absence of information. On occasion, you will receive this object as an answer to a message, in case of the result being nothing. The most essential question you could ask the None object is: None?. The answer will always read True.
    I came for language documentation, I stayed for the existential crisis.

    • By publicdebates 2026-01-1421:541 reply

      Wow, you weren't kidding

      > In Xoscript, the meaning of True and False is not fixed. In fact, a Xoscript program gets pretty shaken up over a statement like this: [True := False.] The result of such actions is undefined, however it remains a valid action and therefore formally allowed. Furthermore, there is a Boolean object, which is the root object of both True and False, as both are derivatives of the root object. The Boolean object itself, however, does not provide any practical application.

      • By gabordemooij 2026-01-1510:05

        It's a side effect of pass-by-reference. In most languages you have to guess if something is passed by value/ref. In xoscript everything is always a reference.

  • By afandian 2026-01-1416:531 reply

    Congratulations on launching this. I see why you posted the 'history' page first, as it's obviously been a long story!

    But from a visitor's perspective, I suggest you let the code tell the story.

    Some code samples on the homepage would be very useful. Especially as, from the syntax, it looks like it isn't just another C-family language.

  • By hnlmorg 2026-01-1418:541 reply

    I’m curious about some of the design choices.

    Having a period / full stop as the EOL punctuation rather than a semicolon is a nice idea. But personally I think the idea of a line terminator is antiquated.

    Using square brackets for strings feels superfluous when you have to quote the strings anyway. Was there a reason for this design?

    I don’t like the “stop” keyword either. Is that doing anything special that the ‘.’ punctuation isn’t already doing? If so, that should be clearer.

    Using whitespace to reference objects instead of ‘::’, ‘->’ or ‘.’ is also counterintuitive. However at least this is just familiarity issue; at least just so long as tabs and multiple spaces don’t break the method calls. Otherwise you then have an easy way to introduce hard-to-spot bugs.

    Iteration syntax is weirdly terse compared to the verbosity of the rest of the language. I’m not saying the syntax is bad, but it feel jarring at first when compared to the design choices of the rest of the language.

    On the positive side of things, it’s nice to see someone experimenting with language syntax. There’s definitely aspects I do like there too.

    • By gabordemooij 2026-01-1419:081 reply

      I would love to further discuss some syntax issues.

      - STOP is from telegraphs. \n is also allowed.

      - The assymetric string boundaries (brackets) allow you to embed quotes/boundaries without escaping.

      what is terse about the loops?

      any further thoughts about EOL?

      • By hnlmorg 2026-01-1419:321 reply

        1. ‘stop’ reads like a change of execution flow (like ‘continue’, ‘break’, and ‘return’) rather than an ASCII control code. I appreciate you’re taking that from telegraphs but I wonder if you’re better off using the control code name (LF) instead?

        2. Interesting. Have you got any examples of this? Every example I’ve seen thus far has been

            [‘string constant’]
        3. I might have misunderstood the fizzbuzz example https://xoscript.com/docs.xo?chapter=examples but it looked like the following syntax set up a for-loop as a closure:

            { :i
        …
    } * 101
        It was a little surprising because usually with languages that lean heavily into English keywords (eg the Pascal/Algol/Basic derivatives) you’d see these control flows use keywords like FOR. Heck, even C-derived languages do too.

        Now I’m not saying the syntax is bad. In fact part of me rather likes it. But it definitely surprised me.

        Similarly the IF conditions surprised me with their tenseness. Though i do like their syntax too.

        Regarding the fizzbuzz example, why do some conditions have TRUE while others do not. Eg

            (i = 0) continue.
        True appears to be implicit.

            (i % 15 = 0) true: {
        …
    ), continue.
        True here is explicit.

        Is it because closures require that explicitness?

        • By gabordemooij 2026-01-1510:03

          1. I guess this is just personal taste, we can add aliases if you like. lf (lowercase seems nice). Smalltalk itself uses brk. Could at both. Personally I love the 'touch' of history, makes it seem like there is continuum in tech somehow. But that's just personal taste as well.

          2. ['the word 'Hello' has 5 chars'] ['I say: "Hi There!"'] ['In xoscript we use [' and '] ']

          this is not allowed: ['this causes a '] parsing error.']

          3. It's all just message passing.

          - {} * x is just message * with arg x - yes it's a function, which is an object, and it has a method called * - Smalltalk uses times: { ... } times: 101.

          - True is an object - (i = i) yields True, so you can send a messages to True - continue/break only work with True - , means: continue talking to object (True)

HackerNews

About