Mark O'Neill mentions two examples of security vulnerabilities in XML software. In summary, keep these two warnings in mind:
- Beware of URI – XML-based data formats are rarely standalone, meaning they rely on some external resources (i.e. DTD, fragments, images, hyperlinks) via URIs. Blindly dereferencing or copying these URIs could result in a host of problems, most common being denial-of-service and cross-site-scripting attacks.
- Beware of Opaque Data – many XML-based data formats have elements or attributes whose values are opaque to all but few of system components. SQL statements used in Mark's post is a good example. Other components blindly pass on and store these values until it reaches components that can process those value.
Both URIs and opaque data are common ingredients of extensible systems. Extensibility is good, but always remember that it is a double-edged sword.