Mark Doliner reported a security-related issue in an email sent to security at Ignite, on August 17, 2010. This issue must be addressed.
The content of his emails have been documented in this JIRA issue, but are visible to the relevant developers only.
Unless I can reproduce a related issue, I'm considering this issue resolved.
On a side-note: future XML parsing should be done by specialized third-party libraries, not our code. Something to consider for a future release.