Add support for a maximum packet size to help prevent denial of service attacks. The parser should keep track of the number of bytes read per packet. When the max packet size is exceeded, it should stop reading the packet into the DOM. The major question is what to do after we hit the max packet size. I see two options:

1) Return stream error and close stream.
2) Read rest of packet but throw away contents as its being read. After finished reading, return packet error. This would mean that your connection isn't closed due to sending too large of a packet.

Perhaps a good default max packet size would be 512KB?