Comment 2 for bug 1100282

I wrote a 4KB request similar to the above that took about 10 minutes to consume > 1 GB server memory.

Thierry's suggestion fixes the DoS vulnerability, but then the same request will still return a 500 as the subsequent code doesn't know how to deal with XML Entities.

The attached patch completely ignores XML entities, comments, and processing instructions -- the sample request above now results in a quick 401 Unauthorized, as expected.