Comment 2 for bug 2066270

Regarding compression support, one of the major issues is that libxml2 tries to decompress input files by default without any API controlling the behavior. This allows trivial DoS attacks with zip bombs. We could add new API features like disabling decompression, but this would ultimately require changes in 100+ downstream projects which seems unrealistic. At some point, libxml2 should be secure-by-default and disable automatic decompression.