XML: Unexpected security holes
David Megginson, of Megginson Technologies, gave an amusing yet ultimately serious talk on XML's potential vulnerability to content vandalism by even unsophisticated hackers. The problems mostly stem from the ability to reference remote stylesheets in a document. A highly secure industrial system might reference a large stylesheet on a relatively insecure campus computer, for example.
A cracker could then modify that stylesheet in ways that changed the perceived content of the page. Megginson used some amusing examples to demonstrate the potential results of such an attack. He showed that a bolded "not" in a sentence could be changed to match the background, making it disappear. (If "not" came at the end of a line, it's disappearance might not be noticed, drastically changing the sentence's meaning.) In another example, Megginson showed how the ability to add decorations to a line in a stylesheet would make it possible to add the words "BIG LIE:" to the beginning of a list item.
The bottom line for industry: most potential stylesheet security problems can be avoided by copying stylesheets to a secure local area and referencing them there. That might not be the ideal answer, but it is a highly effective, relatively low-cost solution that is likely to be the norm for years to come.
From http://www.javaworld.com/jw-03-2000/jw-03-xmlshow.html. Also see: